CVE-2020-36565 — Directory traversal on Windows in github.com/labstack/echo/v4

Description

Due to improper sanitization of user input on Windows, the static file handler allows for directory traversal, allowing an attacker to read files outside of the target directory that the server has permission to read.

How to fix CVE-2020-36565

To remediate CVE-2020-36565, upgrade the affected package to a fixed version below.

—upgrade to 4.2.0 or later
—upgrade to 4.1.18-0.20201215153152-4422e3b66b9f or later

Is CVE-2020-36565 being exploited?

Low — EPSS is 0.3%, meaning exploitation activity has not been observed at scale.

Affected packages (2)

from 0, < 4.2.0
from 0, < 4.1.18-0.20201215153152-4422e3b66b9f

CVSS scores

Source	Version	Severity	Vector
osv	CVSS 3.1	MEDIUM5.3	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N

References (5)

ADVISORYnvd.nist.gov/vuln/detail/CVE-2020-36565
PATCHgithub.com/labstack/echo
WEBgithub.com/labstack/echo/commit/4422e3b66b9fd498ed1ae1d0242d660d0ed3faaa
WEBgithub.com/labstack/echo/pull/1718
WEB