Lucene search
GoogleOSV:GHSA-8CW9-5HMV-77W6HistoryAug 06, 2022 - 5:21 a.m.
sanic vulnerable to Path Traversal when using `app.static` if using encoded `%2F` URLs
2022-08-0605:21:19
Google
osv.dev
12
sanic
path traversal
%2f urls
lateral directories
v20.12.7
v21.12.2
v22.6.1
CVSS3
8.3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
CHANGED
Confidentiality Impact
LOW
Integrity Impact
LOW
Availability Impact
LOW
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:L
EPSS
0.001
Percentile
45.5%
Impact
Access to lateral directories when using app.static if using encoded %2F URLs. Parent directory traversal is not impacted.
Patches
- v20.12.7 (LTS)
- v21.12.2 (LTS)
- v22.6.1
References
https://github.com/sanic-org/sanic/issues/2478
https://github.com/sanic-org/sanic/pull/2495
For more information
If you have any questions or comments about this advisory:
- Open an issue in the community forums
- Ping us on the Discord server
Related
cvelist
cvelist
prion
prion
Directory traversal
2022-08-01 22:15:00
cve
cve
CVE-2022-35920
2022-08-01 22:15:10
veracode
veracode
Directory Traversal
2022-08-02 09:27:24
github
github
nvd
nvd
CVE-2022-35920
2022-08-01 22:15:10
osv
osv
CVE-2022-35920
2022-08-01 22:15:10
CVSS3
8.3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
CHANGED
Confidentiality Impact
LOW
Integrity Impact
LOW
Availability Impact
LOW
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:L
EPSS
0.001
Percentile
45.5%
Related for OSV:GHSA-8CW9-5HMV-77W6