rustsec/advisory-db
1
0
Fork 0
mirror of https://github.com/rustsec/advisory-db.git synced 2025-12-27 01:54:07 -05:00
Code Issues Packages Projects Releases Wiki Activity
Files
main
advisory-db/crates/hyper-staticfile/RUSTSEC-2022-0069.md
Alexis Mousset 84c633df9c Update aliases from GHSA OSV export (#1693)
2023-06-13 15:10:24 +02:00

811 B
Raw Permalink Blame History 

[advisory]
id = "RUSTSEC-2022-0069"
package = "hyper-staticfile"
date = "2022-11-30"
url = "https://github.com/stephank/hyper-staticfile/issues/35"
categories = ["file-disclosure"]
keywords = ["directory traversal", "http"]
aliases = ["GHSA-7p7c-pvvx-2vx3"]

[affected]
os = ["windows"]

[versions]
patched = ["^0.9.2", ">= 0.10.0-alpha.2"]

Improper validation of Windows paths could lead to directory traversal attack

Path resolution in hyper-staticfile didn't correctly validate Windows paths meaning paths like /foo/bar/c:/windows/web/screen/img101.png would be allowed and respond with the contents of c:/windows/web/screen/img101.png. Thus users could potentially read files anywhere on the filesystem.

This only impacts Windows. Linux and other unix likes are not impacted by this.