GHSA-vcvg-xgr8-p5gq

Suggest an improvement
Source
https://github.com/advisories/GHSA-vcvg-xgr8-p5gq
Import Source
https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2023/06/GHSA-vcvg-xgr8-p5gq/GHSA-vcvg-xgr8-p5gq.json
JSON Data
https://api.osv.dev/v1/vulns/GHSA-vcvg-xgr8-p5gq
Aliases
Published
2023-06-09T19:31:32Z
Modified
2023-11-08T04:02:34.559462Z
Severity
  • 6.5 (Medium) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N CVSS Calculator
Summary
Arbitrary file read using percent-encoded relative paths in FileMiddleware
Details

Impact

Attackers can access data at arbitrary filesystem paths on the same host as an application using FileMiddleware.

Patches

Version 4.29.4

Workarounds

Upgrade to 4.24.4 or later, or disable FileMiddleware.

References

  • Introduced in https://github.com/vapor/vapor/pull/2223
  • Fixed by https://github.com/vapor/vapor/pull/2500

For more information

If you have any questions or comments about this advisory: * Open an issue * Email us at security@vapor.codes

References

Affected packages

SwiftURL / github.com/vapor/vapor

Package

Name
github.com/vapor/vapor

Affected ranges

Type
SEMVER
Events
Introduced
4.0.0-rc.2.5
Fixed
4.29.4