Lucene search

GoogleOSV:CVE-2022-35920

HistoryAug 01, 2022 - 10:15 p.m.

CVE-2022-35920

2022-08-0122:15:10

Google

osv.dev

sanic

python

web server

directory traversal

security issue

CVSS3

8.3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

CHANGED

Confidentiality Impact

LOW

Integrity Impact

LOW

Availability Impact

LOW

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:L

AI Score

6.8

Confidence

High

EPSS

0.001

Percentile

45.5%

JSON

Sanic is an opensource python web server/framework. Affected versions of sanic allow access to lateral directories when using app.static if using encoded %2F URLs. Parent directory traversal is not impacted. Users are advised to upgrade. There is no known workaround for this issue.

References

github.com/sanic-org/sanic/issues/2478

github.com/sanic-org/sanic/pull/2495

github.com/sanic-org/sanic/security/advisories/GHSA-8cw9-5hmv-77w6

CVSS3

8.3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

CHANGED

Confidentiality Impact

LOW

Integrity Impact

LOW

Availability Impact

LOW

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:L

AI Score

6.8

Confidence

High

EPSS

0.001

Percentile

45.5%

JSON

Related for OSV:CVE-2022-35920