The Weave server API allows remote users to fetch files from a specific directory, but due to a lack of input validation, it is possible to traverse and leak arbitrary files remotely. In various common scenarios, this allows a low-privileged user to assume the role of the server admin.
{ "github_reviewed_at": "2024-07-31T20:54:48Z", "severity": "HIGH", "cwe_ids": [ "CWE-20", "CWE-22" ], "github_reviewed": true, "nvd_published_at": "2024-07-31T15:15:11Z" }