Ecosyste.ms: Advisories
An open API service providing security vulnerability metadata for many open source software ecosystems.
Security Advisories: GSA_kwCzR0hTQS12cDU2LXI3cXYtNzgzds4AAwog
ahh vulnerable to Path Traversal
Due to improper santization of user input, HTTPEngine.Handle allows for directory traversal, allowing an attacker to read files outside of the target directory that the server has permission to read.
Permalink: https://github.com/advisories/GHSA-vp56-r7qv-783vJSON: https://advisories.ecosyste.ms/api/v1/advisories/GSA_kwCzR0hTQS12cDU2LXI3cXYtNzgzds4AAwog
Source: GitHub Advisory Database
Origin: Unspecified
Severity: High
Classification: General
Published: over 1 year ago
Updated: about 1 year ago
CVSS Score: 7.5
CVSS vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
Identifiers: GHSA-vp56-r7qv-783v, CVE-2020-36559
References:
- https://nvd.nist.gov/vuln/detail/CVE-2020-36559
- https://github.com/go-aah/aah/issues/266
- https://github.com/go-aah/aah/pull/267
- https://github.com/go-aah/aah/commit/881dc9f71d1f7a4e8a9a39df9c5c081d3a2da1ec
- https://pkg.go.dev/vuln/GO-2020-0033
- https://github.com/advisories/GHSA-vp56-r7qv-783v
Blast Radius: 13.2
Affected Packages
go:aahframe.work
Dependent packages: 11Dependent repositories: 58
Downloads:
Affected Version Ranges: < 0.12.4
Fixed in: 0.12.4
All affected versions: 0.4.1, 0.5.1, 0.10.1, 0.11.0, 0.11.1, 0.11.2, 0.11.3, 0.11.4, 0.12.0, 0.12.1, 0.12.2, 0.12.3
All unaffected versions: 0.12.4, 0.12.5
go:github.com/go-aah/aah
Dependent packages: 0Dependent repositories: 0
Downloads:
Affected Version Ranges: < 0.12.4
Fixed in: 0.12.4
All affected versions: 0.4.1, 0.5.1, 0.10.1, 0.11.0, 0.11.1, 0.11.2, 0.11.3, 0.11.4, 0.12.0, 0.12.1, 0.12.2, 0.12.3
All unaffected versions: 0.12.4, 0.12.5