blob: 3d852f15d469bf224cd2d0ecd238e00e24c36535 [file] [log] [blame]
id: GO-2020-0033
modules:
- module: aahframe.work
versions:
- fixed: 0.12.4
vulnerable_at: 0.12.3
packages:
- package: aahframe.work
symbols:
- HTTPEngine.Handle
derived_symbols:
- Application.Run
- Application.ServeHTTP
- Application.Start
summary: Path Traversal in aahframe.work
description: |-
Due to improper sanitization of user input, HTTPEngine.Handle allows for
directory traversal, allowing an attacker to read files outside of the target
directory that the server has permission to read.
published: 2021-04-14T20:04:52Z
ghsas:
- GHSA-vp56-r7qv-783v
credits:
- '@snyff'
references:
- fix: https://github.com/go-aah/aah/pull/267
- fix: https://github.com/go-aah/aah/commit/881dc9f71d1f7a4e8a9a39df9c5c081d3a2da1ec
- report: https://github.com/go-aah/aah/issues/266
cve_metadata:
id: CVE-2020-36559
cwe: 'CWE 23: Relative Path Traversal'
review_status: REVIEWED