GHSA-vcvg-xgr8-p5gq

Опубликовано: 09 июн. 2023

Источник: github

Github: Прошло ревью

CVSS3: 6.5

Описание

Arbitrary file read using percent-encoded relative paths in FileMiddleware

Impact

Attackers can access data at arbitrary filesystem paths on the same host as an application using FileMiddleware.

Patches

Version 4.29.4

Workarounds

Upgrade to 4.24.4 or later, or disable FileMiddleware.

References

Introduced in https://github.com/vapor/vapor/pull/2223
Fixed by https://github.com/vapor/vapor/pull/2500

For more information

If you have any questions or comments about this advisory:

Open an issue
Email us at security@vapor.codes

Ссылки

Пакеты

Наименование

github.com/vapor/vapor

Затронутые версииВерсия исправления

>= 4.0.0-rc.2.5, < 4.29.4

4.29.4

EPSS

Процентиль: 68%

0.00567

Низкий

6.5 Medium

CVSS3

CVE ID

CVE-2020-15230

Дефекты

CWE-22

Связанные уязвимости

CVE-2020-15230

CVSS3: 8.5

nvd

больше 5 лет назад

Vapor is a web framework for Swift. In Vapor before version 4.29.4, Attackers can access data at arbitrary filesystem paths on the same host as an application. Only applications using FileMiddleware are affected. This is fixed in version 4.29.4.

EPSS

Процентиль: 68%

0.00567

Низкий

6.5 Medium

CVSS3

CVE ID

CVE-2020-15230

Дефекты

CWE-22