CVE-2022-35920
sanic vulnerable to Path Traversal when using `app.static` if using encoded `%2F` URLs
8.3
HIGH
CVSS 3.1
EPSS 0.75%
描述
### Impact Access to lateral directories when using `app.static` if using encoded `%2F` URLs. Parent directory traversal is not impacted. ### Patches - v20.12.7 (LTS) - v21.12.2 (LTS) - v22.6.1 ### References https://github.com/sanic-org/sanic/issues/2478 https://github.com/sanic-org/sanic/pull/2495 ### For more information If you have any questions or comments about this advisory: * Open an issue in [the community forums](https://community.sanicframework.org/) * Ping us on [the Discord server](https://discord.gg/FARQzAEMAA)
如何修補 CVE-2022-35920
要修補 CVE-2022-35920,請將受影響套件升級到下列已修補版本。
- —升級至 22.6.1 或更新版本
CVE-2022-35920 正在被利用嗎?
低 — EPSS 為 0.8%,目前沒有觀察到大規模利用活動。
受影響套件(1)
- >= 22.0.0, < 22.6.1
CVSS 分數
| 來源 | 版本 | 嚴重程度 | 向量 |
|---|---|---|---|
| osv | CVSS 3.1 | HIGH8.3 | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:L |