CVE-2022-35920

Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') in pypi/sanic

Identifiers

CVE-2022-35920, GHSA-8cw9-5hmv-77w6

Package Slug

pypi/sanic

Vulnerability

Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')

Description

Sanic is an opensource python web server/framework. Affected versions of sanic allow access to lateral directories when using app.static if using encoded %2F URLs. Parent directory traversal is not impacted. Users are advised to upgrade. There is no known workaround for this issue.

Affected Versions

All versions before 20.12.7, all versions starting from 21.0.0 before 21.12.2, all versions starting from 22.0.0 before 22.6.1

Solution

Upgrade to versions 20.12.7, 21.12.2, 22.6.1 or above.

Last Modified

2022-08-09

source