GHSA-qmfx-75ff-8mw6

Source

https://github.com/advisories/GHSA-qmfx-75ff-8mw6

Import Source

https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2021/05/GHSA-qmfx-75ff-8mw6/GHSA-qmfx-75ff-8mw6.json

JSON Data

https://api.osv.dev/v1/vulns/GHSA-qmfx-75ff-8mw6

Aliases

GO-2022-0407

Published

2021-05-27T18:41:00Z

Modified

2024-08-21T15:27:05.528441Z

Summary

Listing of upload directory contents possible

Details

There's an security issue in prosody-filer versions < 1.0.1 which leads to unwanted directory listings of download directories.

An attacker is able to list previous uploads of a certain user by shortening the URL and accessing a URL subdirectors other than /upload/ (or the corresponding user defined root dir)

Version 1.0.1 and later fix this problem and allow only direct file access if the full path is known. Directory listings are blocked entirely.

Database specific

{
    "nvd_published_at": null,
    "cwe_ids": [],
    "severity": "HIGH",
    "github_reviewed": true,
    "github_reviewed_at": "2021-05-24T21:22:08Z"
}

References

https://github.com/ThomasLeister/prosody-filer/security/advisories/GHSA-qmfx-75ff-8mw6

Affected packages

Go / github.com/ThomasLeister/prosody-filer

Package

Name: github.com/ThomasLeister/prosody-filer; View open source insights on deps.dev
Purl: pkg:golang/github.com/ThomasLeister/prosody-filer

Affected ranges

Type: SEMVER
Events: Introduced

0Unknown introduced version / All previous versions are affected

Fixed

1.0.1