CVE-2022-40734
MEDIUM6.5EPSS 91.6%UniSharp Laravel Filemanager directory traversal vulnerability
發布日:2022/9/15修改日:2024/2/16
描述
UniSharp laravel-filemanager (aka Laravel Filemanager) with `league/flysystem` version `< 2.0.0` allows download?working_dir=%2F.. directory traversal to read arbitrary files, as exploited in the wild in June 2022. Since `v2.6.4`, UniSharp laravel-filemanager (aka Laravel Filemanager) requires users to install `league/flysystem` version `>= 2.0.0`.
受影響套件(1)
- Packagist/unisharp/laravel-filemanagerfrom 0, < 2.6.4
CVSS 分數
| 來源 | 版本 | 嚴重程度 | 向量 |
|---|---|---|---|
| osv | CVSS 3.1 | MEDIUM6.5 | CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N |
參考連結(6)
- ADVISORYhttps://nvd.nist.gov/vuln/detail/CVE-2022-40734
- PATCHhttps://github.com/UniSharp/laravel-filemanager
- WEBhttps://github.com/UniSharp/laravel-filemanager/commit/8a357d02e8f54ddf130961c64ff2cfc1882bbfcf
- WEBhttps://github.com/UniSharp/laravel-filemanager/issues/1150
- WEBhttps://github.com/UniSharp/laravel-filemanager/issues/1150#issuecomment-1320186966
- WEBhttps://github.com/UniSharp/laravel-filemanager/issues/1150#issuecomment-1825310417