data/reports/GO-2020-0033.yaml - vulndb - Git at Google

 id: GO-2020-0033
 modules:
     - module: aahframe.work
       versions:
         - fixed: 0.12.4
       vulnerable_at: 0.12.3
       packages:
         - package: aahframe.work
           symbols:
             - HTTPEngine.Handle
           derived_symbols:
             - Application.Run
             - Application.ServeHTTP
             - Application.Start
 summary: Path Traversal in aahframe.work
 description: |-
     Due to improper sanitization of user input, HTTPEngine.Handle allows for
     directory traversal, allowing an attacker to read files outside of the target
     directory that the server has permission to read.
 published: 2021-04-14T20:04:52Z
 ghsas:
     - GHSA-vp56-r7qv-783v
 credits:
     - '@snyff'
 references:
     - fix: https://github.com/go-aah/aah/pull/267
     - fix: https://github.com/go-aah/aah/commit/881dc9f71d1f7a4e8a9a39df9c5c081d3a2da1ec
     - report: https://github.com/go-aah/aah/issues/266
 cve_metadata:
     id: CVE-2020-36559
     cwe: 'CWE 23: Relative Path Traversal'
	id: GO-2020-0033
	modules:
	- module: aahframe.work
	versions:
	- fixed: 0.12.4
	vulnerable_at: 0.12.3
	packages:
	- package: aahframe.work
	symbols:
	- HTTPEngine.Handle
	derived_symbols:
	- Application.Run
	- Application.ServeHTTP
	- Application.Start
	summary: Path Traversal in aahframe.work
	description: \|-
	Due to improper sanitization of user input, HTTPEngine.Handle allows for
	directory traversal, allowing an attacker to read files outside of the target
	directory that the server has permission to read.
	published: 2021-04-14T20:04:52Z
	ghsas:
	- GHSA-vp56-r7qv-783v
	credits:
	- '@snyff'
	references:
	- fix: https://github.com/go-aah/aah/pull/267
	- fix: https://github.com/go-aah/aah/commit/881dc9f71d1f7a4e8a9a39df9c5c081d3a2da1ec
	- report: https://github.com/go-aah/aah/issues/266
	cve_metadata:
	id: CVE-2020-36559
	cwe: 'CWE 23: Relative Path Traversal'