CVE-2018-12542 – io.vertx:vertx-web

Package

Manager: maven
Name: io.vertx:vertx-web
Vulnerable Version: >=3.0.0 <3.5.4

Severity

Level: Critical

CVSS v3.1: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

EPSS: 0.00962 pctl0.75622

Details

Eclipse Vert.x does not properly neutralize '' (forward slashes) sequences that can resolve to an external location In version from 3.0.0 to 3.5.3 of Eclipse Vert.x, the StaticHandler uses external input to construct a pathname that should be within a restricted directory, but it does not properly neutralize '\' (forward slashes) sequences that can resolve to a location that is outside of that directory when running on Windows Operating Systems.

Metadata

Created: 2018-10-17T16:20:45Z
Modified: 2022-04-26T21:49:59Z
Source: https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2018/10/GHSA-h39x-m55c-v55h/GHSA-h39x-m55c-v55h.json
CWE IDs: ["CWE-22"]
Alternative ID: GHSA-h39x-m55c-v55h
Finding: F063
Auto approve: 1