GO-2020-0033

See a problem?

Source

https://pkg.go.dev/vuln/GO-2020-0033

Import Source

https://vuln.go.dev/ID/GO-2020-0033.json

Aliases

CVE-2020-36559
GHSA-vp56-r7qv-783v

Published

2021-04-14T20:04:52Z

Modified

2024-05-20T16:03:47Z

Summary

Path Traversal in aahframe.work

Details

Due to improper sanitization of user input, HTTPEngine.Handle allows for directory traversal, allowing an attacker to read files outside of the target directory that the server has permission to read.

References

https://github.com/go-aah/aah/pull/267
https://github.com/go-aah/aah/commit/881dc9f71d1f7a4e8a9a39df9c5c081d3a2da1ec
https://github.com/go-aah/aah/issues/266

Credits

- @snyff

Affected packages

Go / aahframe.work

Package

Name: aahframe.work
Purl: pkg:golang/aahframe.work

Affected ranges

Type: SEMVER
Events: Introduced

0The exact introduced commit is unknown

Fixed

0.12.4

Ecosystem specific

{
    "imports": [
        {
            "path": "aahframe.work",
            "symbols": [
                "Application.Run",
                "Application.ServeHTTP",
                "Application.Start",
                "HTTPEngine.Handle"
            ]
        }
    ]
}