GHSA-8cw9-5hmv-77w6

Suggest an improvement
Source
https://github.com/advisories/GHSA-8cw9-5hmv-77w6
Import Source
https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2022/08/GHSA-8cw9-5hmv-77w6/GHSA-8cw9-5hmv-77w6.json
JSON Data
https://api.test.osv.dev/v1/vulns/GHSA-8cw9-5hmv-77w6
Aliases
Related
Published
2022-08-06T05:21:19Z
Modified
2023-11-01T04:59:23.558816Z
Severity
  • 8.3 (High) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:L CVSS Calculator
Summary
sanic vulnerable to Path Traversal when using `app.static` if using encoded `%2F` URLs
Details

Impact

Access to lateral directories when using app.static if using encoded %2F URLs. Parent directory traversal is not impacted.

Patches

  • v20.12.7 (LTS)
  • v21.12.2 (LTS)
  • v22.6.1

References

https://github.com/sanic-org/sanic/issues/2478 https://github.com/sanic-org/sanic/pull/2495

For more information

If you have any questions or comments about this advisory: * Open an issue in the community forums * Ping us on the Discord server

Database specific
{
    "nvd_published_at": "2022-08-01T22:15:00Z",
    "github_reviewed_at": "2022-08-06T05:21:19Z",
    "severity": "HIGH",
    "github_reviewed": true,
    "cwe_ids": [
        "CWE-22"
    ]
}
References

Affected packages

PyPI / sanic

Package

Affected ranges

Type
ECOSYSTEM
Events
Introduced
22.0.0
Fixed
22.6.1

Affected versions

22.*

22.3.0
22.3.1
22.3.2
22.6.0

PyPI / sanic

Package

Affected ranges

Type
ECOSYSTEM
Events
Introduced
21.0.0
Fixed
21.12.2

Affected versions

21.*

21.3.0
21.3.1
21.3.2
21.3.4
21.6.0
21.6.1
21.6.2
21.9.0
21.9.1
21.9.2
21.9.3
21.12.0
21.12.1

PyPI / sanic

Package

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected
Fixed
20.12.7

Affected versions

0.*

0.1.0
0.1.1
0.1.3
0.1.4
0.1.5
0.1.6
0.1.7
0.1.8
0.1.9
0.2.0
0.3.0
0.3.1
0.4.0
0.4.1
0.5.0
0.5.1
0.5.2
0.5.4
0.6.0
0.7.0
0.8.0
0.8.1
0.8.2
0.8.3

18.*

18.12.0

19.*

19.3.1
19.6.0
19.6.2
19.6.3
19.9.0
19.12.0
19.12.2
19.12.3
19.12.4
19.12.5

20.*

20.3.0
20.6.0
20.6.1
20.6.2
20.6.3
20.9.0
20.9.1
20.12.0
20.12.1
20.12.2
20.12.3
20.12.4
20.12.5
20.12.6