CVE-2022-40734
MEDIUM6.5EPSS 91.6%UniSharp Laravel Filemanager directory traversal vulnerability
Published: 9/15/2022Modified: 2/16/2024
Also known as:GHSA-5m2h-7rf2-rpx6
Description
UniSharp laravel-filemanager (aka Laravel Filemanager) with `league/flysystem` version `< 2.0.0` allows download?working_dir=%2F.. directory traversal to read arbitrary files, as exploited in the wild in June 2022. Since `v2.6.4`, UniSharp laravel-filemanager (aka Laravel Filemanager) requires users to install `league/flysystem` version `>= 2.0.0`.
Affected packages (1)
- Packagist/unisharp/laravel-filemanagerfrom 0, < 2.6.4
CVSS scores
| Source | Version | Severity | Vector |
|---|---|---|---|
| osv | CVSS 3.1 | MEDIUM6.5 | CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N |
References (6)
- ADVISORYhttps://nvd.nist.gov/vuln/detail/CVE-2022-40734
- PATCHhttps://github.com/UniSharp/laravel-filemanager
- WEBhttps://github.com/UniSharp/laravel-filemanager/commit/8a357d02e8f54ddf130961c64ff2cfc1882bbfcf
- WEBhttps://github.com/UniSharp/laravel-filemanager/issues/1150
- WEBhttps://github.com/UniSharp/laravel-filemanager/issues/1150#issuecomment-1320186966
- WEBhttps://github.com/UniSharp/laravel-filemanager/issues/1150#issuecomment-1825310417