CVE-2022-35920 — sanic vulnerable to Path Traversal when using `app.static` if using encoded `%2F

Description

### Impact Access to lateral directories when using `app.static` if using encoded `%2F` URLs. Parent directory traversal is not impacted. ### Patches - v20.12.7 (LTS) - v21.12.2 (LTS) - v22.6.1 ### References https://github.com/sanic-org/sanic/issues/2478 https://github.com/sanic-org/sanic/pull/2495 ### For more information If you have any questions or comments about this advisory: * Open an issue in [the community forums](https://community.sanicframework.org/) * Ping us on [the Discord server](https://discord.gg/FARQzAEMAA)

How to fix CVE-2022-35920

To remediate CVE-2022-35920, upgrade the affected package to a fixed version below.

—upgrade to 22.6.1 or later

Is CVE-2022-35920 being exploited?

Low — EPSS is 0.8%, meaning exploitation activity has not been observed at scale.

Affected packages (1)

>= 22.0.0, < 22.6.1

CVSS scores

Source	Version	Severity	Vector
osv	CVSS 3.1	HIGH8.3	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:L

References (5)

ADVISORYnvd.nist.gov/vuln/detail/CVE-2022-35920
PATCHgithub.com/sanic-org/sanic
WEBgithub.com/sanic-org/sanic/issues/2478
WEBgithub.com/sanic-org/sanic/pull/2495
WEB