Veracode Vulnerability DatabaseVERACODE:42986Path Traversal
5.3 Medium
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
LOW
Integrity Impact
NONE
Availability Impact
NONE
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
0.001 Low
EPSS
Percentile
27.1%
pyramid is vulnerable to Path Traversal. The vulnerability exists because static.py does not properly remove null-byte characters from the path element, which allows an attacker to gain access to index.html located exactly one directory above the location of the static view’s file system path.
References
github.com/Pylons/pyramid/commit/347d7750da6f45c7436dd0c31468885cc9343c85
github.com/Pylons/pyramid/security/advisories/GHSA-j8g2-6fc7-q8f8
github.com/python/cpython/issues/106242
github.com/python/cpython/pull/106816
lists.fedoraproject.org/archives/list/[email protected]/message/LYSDTQ7NP5GHPQ7HBE47MBJQK7YEIYMF/
lists.fedoraproject.org/archives/list/[email protected]/message/OQIPHQTM3XE5NIEXCTQFV2J2RK2YUSMT/
Related
5.3 Medium
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
LOW
Integrity Impact
NONE
Availability Impact
NONE
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
0.001 Low
EPSS
Percentile
27.1%