CVE-2026-42351
pygeoapi 0.23.x: Path Traversal in STAC FileSystemProvider
描述
### Impact A raw string path concatenation vulnerability in pygeoapi's STAC FileSystemProvider plugin can allow for requests to STAC collection based collections to expose directories without authentication. The issue manifests when pygeoapi is deployed without a proxy or web front end that would normalize URLs with `..` values, along with a resource of type `stac-collection` defined in configuration. ### Patches The issue has been patched in master branch and made available as part of the 0.23.3 release. The commit/fix can be found in [bf25b8695edbdd5476eeffc102b633d1d3e45f52](https://github.com/geopython/pygeoapi/commit/bf25b8695edbdd5476eeffc102b633d1d3e45f52). ### Workarounds Users can safeguard existing applications by disabling STAC collection based resources in their pygeoapi config, until 0.23.3 can be installed and deployed.
如何修補 CVE-2026-42351
要修補 CVE-2026-42351,請將受影響套件升級到下列已修補版本。
- —升級至 0.23.3 或更新版本
CVE-2026-42351 正在被利用嗎?
低 — EPSS 為 0.0%,目前沒有觀察到大規模利用活動。
受影響套件(1)
- >= 0.23.0, < 0.23.3
CVSS 分數
| 來源 | 版本 | 嚴重程度 | 向量 |
|---|---|---|---|
| osv | CVSS 3.1 | HIGH7.5 | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N |