GHSA-h39x-m55c-v55h

Suggest an improvement
Source
https://github.com/advisories/GHSA-h39x-m55c-v55h
Import Source
https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2018/10/GHSA-h39x-m55c-v55h/GHSA-h39x-m55c-v55h.json
JSON Data
https://api.test.osv.dev/v1/vulns/GHSA-h39x-m55c-v55h
Aliases
Published
2018-10-17T16:20:45Z
Modified
2023-11-01T04:48:53.195114Z
Severity
  • 9.8 (Critical) CVSS_V3 - CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H CVSS Calculator
Summary
Eclipse Vert.x does not properly neutralize '' (forward slashes) sequences that can resolve to an external location
Details

In version from 3.0.0 to 3.5.3 of Eclipse Vert.x, the StaticHandler uses external input to construct a pathname that should be within a restricted directory, but it does not properly neutralize '\' (forward slashes) sequences that can resolve to a location that is outside of that directory when running on Windows Operating Systems.

Database specific
{
    "nvd_published_at": null,
    "github_reviewed_at": "2020-06-16T21:38:32Z",
    "severity": "CRITICAL",
    "github_reviewed": true,
    "cwe_ids": [
        "CWE-22"
    ]
}
References

Affected packages

Maven / io.vertx:vertx-web

Package

Name
io.vertx:vertx-web
View open source insights on deps.dev
Purl
pkg:maven/io.vertx/vertx-web

Affected ranges

Type
ECOSYSTEM
Events
Introduced
3.0.0
Fixed
3.5.4

Affected versions

3.*

3.0.0
3.1.0
3.2.0
3.2.1
3.3.0.CR1
3.3.0.CR2
3.3.0
3.3.1
3.3.2
3.3.3
3.4.0.Beta1
3.4.0
3.4.1
3.4.2
3.5.0.Beta1
3.5.0
3.5.1
3.5.2.CR1
3.5.2.CR2
3.5.2.CR3
3.5.2
3.5.3.CR1
3.5.3