Ecosyste.ms: Advisories

An open API service providing security vulnerability metadata for many open source software ecosystems.

Security Advisories: GSA_kwCzR0hTQS1yNDloLTZxeHEtNjI0Zs4AA-S1

Weave server API vulnerable to arbitrary file leak

The Weave server API allows remote users to fetch files from a specific directory, but due to a lack of input validation, it is possible to traverse and leak arbitrary files remotely. In various common scenarios, this allows a low-privileged user to assume the role of the server admin.

Permalink: https://github.com/advisories/GHSA-r49h-6qxq-624f
JSON: https://advisories.ecosyste.ms/api/v1/advisories/GSA_kwCzR0hTQS1yNDloLTZxeHEtNjI0Zs4AA-S1
Source: GitHub Advisory Database
Origin: Unspecified
Severity: High
Classification: General
Published: 4 months ago
Updated: 4 months ago

CVSS Score: 8.8
CVSS vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Identifiers: GHSA-r49h-6qxq-624f, CVE-2024-7340
References:

Repository: https://github.com/wandb/weave
Blast Radius: 10.1

Affected Packages

pypi:weave

Dependent packages: 3
Dependent repositories: 14
Downloads: 36,367 last month
Affected Version Ranges: < 0.50.8
Fixed in: 0.50.8
All affected versions: 0.15.0, 0.16.0, 0.17.0, 0.20.0, 0.21.0, 0.22.0, 0.23.0, 0.24.0, 0.24.1, 0.25.0, 0.26.0, 0.27.0, 0.28.0, 0.29.0, 0.30.0, 0.31.0, 0.32.0, 0.33.0, 0.34.0, 0.35.0, 0.36.0, 0.37.0, 0.38.0, 0.39.0, 0.40.0, 0.41.0, 0.42.0, 0.43.0, 0.44.0, 0.45.0, 0.46.0, 0.47.0, 0.48.0, 0.49.0, 0.50.0, 0.50.1, 0.50.2, 0.50.3, 0.50.4, 0.50.5, 0.50.6, 0.50.7
All unaffected versions: 0.50.8, 0.50.9, 0.50.10, 0.50.11, 0.50.12, 0.50.13, 0.50.14, 0.50.15, 0.51.0, 0.51.1, 0.51.2, 0.51.5, 0.51.6, 0.51.7, 0.51.8, 0.51.9, 0.51.10, 0.51.12, 0.51.14, 0.51.16, 0.51.17, 0.51.18, 0.51.19, 0.51.20, 0.51.21, 0.51.22