The Weave server API allows remote users to fetch files from a specific directory, but due to a lack of input validation, it is possible to traverse and leak arbitrary files remotely. In various common scenarios, this allows a low-privileged user to assume the role of the server admin.
{ "nvd_published_at": "2024-07-31T15:15:11Z", "cwe_ids": [ "CWE-20", "CWE-22" ], "severity": "HIGH", "github_reviewed": true, "github_reviewed_at": "2024-07-31T20:54:48Z" }