CVE-2022-35920 – sanic

Package

Manager: pip
Name: sanic
Vulnerable Version: >=22.0.0 <22.6.1 || >=21.0.0 <21.12.2 || >=0 <20.12.7

Severity

Level: High

CVSS v3.1: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:L

CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:L/SC:L/SI:L/SA:L

EPSS: 0.00912 pctl0.74979

Details

sanic vulnerable to Path Traversal when using `app.static` if using encoded `%2F` URLs ### Impact Access to lateral directories when using `app.static` if using encoded `%2F` URLs. Parent directory traversal is not impacted. ### Patches - v20.12.7 (LTS) - v21.12.2 (LTS) - v22.6.1 ### References https://github.com/sanic-org/sanic/issues/2478 https://github.com/sanic-org/sanic/pull/2495 ### For more information If you have any questions or comments about this advisory: * Open an issue in [the community forums](https://community.sanicframework.org/) * Ping us on [the Discord server](https://discord.gg/FARQzAEMAA)

Metadata

Created: 2022-08-06T05:21:19Z
Modified: 2022-08-11T20:57:49Z
Source: https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2022/08/GHSA-8cw9-5hmv-77w6/GHSA-8cw9-5hmv-77w6.json
CWE IDs: ["CWE-22"]
Alternative ID: GHSA-8cw9-5hmv-77w6
Finding: F063
Auto approve: 1