Опубликовано: 31 июл. 2024
Источник: github
Github: Прошло ревью
CVSS4: 8.7
CVSS3: 8.8
Описание
Weave server API vulnerable to arbitrary file leak
The Weave server API allows remote users to fetch files from a specific directory, but due to a lack of input validation, it is possible to traverse and leak arbitrary files remotely. In various common scenarios, this allows a low-privileged user to assume the role of the server admin.
Пакеты
Наименование
weave
pip
Затронутые версииВерсия исправления
< 0.50.8
0.50.8
Связанные уязвимости
CVSS3: 8.8
nvd
больше 1 года назад
The Weave server API allows remote users to fetch files from a specific directory, but due to a lack of input validation, it is possible to traverse and leak arbitrary files remotely. In various common scenarios, this allows a low-privileged user to assume the role of the server admin.