GMS-2018-6: Directory Traversal

January 23, 2018

A crafted GET request can be leveraged to traverse the directory structure of a host using the lactate web server package, and request arbitrary files outside of the specified web root. This allows for a remote attacker to gain access to arbitrary files on the filesystem that the process has access to read. Mitigating factors: Only files that the user running lactate has permission to read will be accessible via this vulnerability.

References

hackerone.com/reports/296645

Detect and mitigate GMS-2018-6 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →