GHSA-qmfx-75ff-8mw6 – github.com/thomasleister/prosody-filer

Package

Manager: go
Name: github.com/thomasleister/prosody-filer
Vulnerable Version: >=0 <1.0.1

Severity

Level: High

CVSS v3.1: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N/E:P/RL:O/RC:C

CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N

EPSS: N/A pctlN/A

Details

Listing of upload directory contents possible There's an security issue in prosody-filer versions **< 1.0.1** which leads to unwanted directory listings of download directories. An attacker is able to list previous uploads of a certain user by shortening the URL and accessing a URL subdirectors other than `/upload/` (or the corresponding user defined root dir) Version 1.0.1 and later fix this problem and allow only direct file access if the full path is known. Directory listings are blocked entirely.

Metadata

Created: 2021-05-27T18:41:00Z
Modified: 2021-05-24T21:22:08Z
Source: https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2021/05/GHSA-qmfx-75ff-8mw6/GHSA-qmfx-75ff-8mw6.json
CWE IDs: []
Alternative ID: N/A
Finding: F063
Auto approve: 1