CVE-2026-48099
WsgiDAV encoded dot segments can escape filesystem share roots
描述
### Impact WsgiDAV 4.3.3 can allow a WebDAV request path containing an encoded parent-directory segment to escape the configured filesystem share root in a specific path layout. ### Patches The issue is fixed with version 4.3.4. ### Preconditions The practical impact depends on the deployment. The deployment uses a filesystem-backed WsgiDAV share. The attacker can send WebDAV requests accepted by that share. This may be an anonymous share or an authenticated WebDAV user. This is not an authentication bypass. ### Details The issue is in `FilesystemProvider._loc_to_file_path()`. The method builds a candidate path with `os.path.abspath(os.path.join(root_path, *path_parts))`, then checks containment with `file_path.startswith(root_path)`. This is not path-boundary aware. For example, if the configured share root is `/tmp/share`, a resolved sibling path such as `/tmp/share_evil/secret.txt` still starts with the string `/tmp/share`. In a local proof, this allowed GET, PUT, and DELETE requests to operate on files outside the configured share root. The WSGI/server layer forwards the encoded dot segment to WsgiDAV's PATH_INFO. The local proof used `/%2e%2e/...`, which wsgiref passed through as `/../...`. A sibling or neighboring path exists whose absolute path starts with the configured root path string, such as `/tmp/share` and `/tmp/share_evil`. The WsgiDAV process has OS permissions for the outside path.
如何修補 CVE-2026-48099
要修補 CVE-2026-48099,請將受影響套件升級到下列已修補版本。
- —升級至 4.3.4 或更新版本
CVE-2026-48099 正在被利用嗎?
目前沒有被利用訊號。CVE-2026-48099 既不在 CISA KEV 也沒有最新的 EPSS 分數。
受影響套件(1)
- from 0, < 4.3.4