icon

We found results for “

WS-2021-0614

Good to know:

icon

Date: January 21, 2021

The crate tower-http before versions 0.1.3 and 0.2.1 has Improper validation of Windows paths that could lead to directory traversal attack. tower_http::services::fs::ServeDir didn't correctly validate Windows paths meaning paths like /foo/bar/c:/windows/web/screen/img101.png would be allowed and respond with the contents of c:/windows/web/screen/img101.png. Thus users could potentially read files anywhere on the filesystem. This only impacts Windows. Linux and other unix likes are not impacted by this.

Language: RUST

Severity Score

Severity Score

Weakness Type (CWE)

Input Validation

CWE-20

Top Fix

icon

Upgrade Version

Upgrade to version tower-http - 0.1.3,0.2.1

Learn More

CVSS v3.1

Base Score:
Attack Vector (AV): NETWORK
Attack Complexity (AC): LOW
Privileges Required (PR): NONE
User Interaction (UI): NONE
Scope (S): UNCHANGED
Confidentiality (C): HIGH
Integrity (I): HIGH
Availability (A): HIGH

Do you need more information?

Contact Us