GHSA-8cw9-5hmv-77w6

Source
https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2022/08/GHSA-8cw9-5hmv-77w6/GHSA-8cw9-5hmv-77w6.json
Aliases
  • CVE-2022-35920
Published
2022-08-06T05:21:19Z
Modified
2022-08-15T08:56:39.556850Z
Details

Impact

Access to lateral directories when using app.static if using encoded %2F URLs. Parent directory traversal is not impacted.

Patches

  • v20.12.7 (LTS)
  • v21.12.2 (LTS)
  • v22.6.1

References

https://github.com/sanic-org/sanic/issues/2478 https://github.com/sanic-org/sanic/pull/2495

For more information

If you have any questions or comments about this advisory: * Open an issue in the community forums * Ping us on the Discord server

References

Affected packages

PyPI / sanic

sanic

Affected ranges

Type
ECOSYSTEM
Events
Introduced
22.0.0
Fixed
22.6.1

Affected versions

22.*

22.3.0
22.3.1
22.3.2
22.6.0

PyPI / sanic

sanic

Affected ranges

Type
ECOSYSTEM
Events
Introduced
21.0.0
Fixed
21.12.2

Affected versions

21.*

21.12.0
21.12.1
21.3.0
21.3.1
21.3.2
21.3.4
21.6.0
21.6.1
21.6.2
21.9.0
21.9.1
21.9.2
21.9.3

PyPI / sanic

sanic

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0
Fixed
20.12.7

Affected versions

0.*

0.1.0
0.1.1
0.1.3
0.1.4
0.1.5
0.1.6
0.1.7
0.1.8
0.1.9
0.2.0
0.3.0
0.3.1
0.4.0
0.4.1
0.5.0
0.5.1
0.5.2
0.5.4
0.6.0
0.7.0
0.8.0
0.8.1
0.8.2
0.8.3

18.*

18.12.0

19.*

19.12.0
19.12.2
19.12.3
19.12.4
19.12.5
19.3.1
19.6.0
19.6.2
19.6.3
19.9.0

20.*

20.12.0
20.12.1
20.12.2
20.12.3
20.12.4
20.12.5
20.12.6
20.3.0
20.6.0
20.6.1
20.6.2
20.6.3
20.9.0
20.9.1