| id: GO-2020-0033 |
| modules: |
| - module: aahframe.work |
| versions: |
| - fixed: 0.12.4 |
| vulnerable_at: 0.12.3 |
| packages: |
| - package: aahframe.work |
| symbols: |
| - HTTPEngine.Handle |
| derived_symbols: |
| - Application.Run |
| - Application.ServeHTTP |
| - Application.Start |
| summary: Path Traversal in aahframe.work |
| description: |- |
| Due to improper sanitization of user input, HTTPEngine.Handle allows for |
| directory traversal, allowing an attacker to read files outside of the target |
| directory that the server has permission to read. |
| published: 2021-04-14T20:04:52Z |
| ghsas: |
| - GHSA-vp56-r7qv-783v |
| credits: |
| - '@snyff' |
| references: |
| - fix: https://github.com/go-aah/aah/pull/267 |
| - fix: https://github.com/go-aah/aah/commit/881dc9f71d1f7a4e8a9a39df9c5c081d3a2da1ec |
| - report: https://github.com/go-aah/aah/issues/266 |
| cve_metadata: |
| id: CVE-2020-36559 |
| cwe: 'CWE 23: Relative Path Traversal' |
| review_status: REVIEWED |