CVE-2020-15230 — Path Traversal in Vapor

CWE-22 — Path Traversal4 documents4 sources

Severity

6.5MEDIUMNVD

EPSS

0.6%

top 31.47%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Vapor Vapor Project Vapor Github.com Vapor Vapor

Timeline

PublishedOct 2

Latest updateApr 26

Description

Vapor is a web framework for Swift. In Vapor before version 4.29.4, Attackers can access data at arbitrary filesystem paths on the same host as an application. Only applications using FileMiddleware are affected. This is fixed in version 4.29.4.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:NExploitability: 2.8 | Impact: 3.6

Affected Packages3 packages

▶CVEListV5vapor/vapor< 4.29.4

▶NVDvapor_project/vapor< 4.29.4

▶SwiftURLgithub.com/vapor_vapor4.0.0-rc.2.5 — 4.29.4

Patches

Patch: github.com ↗Patch: github.com ↗

🔴Vulnerability Details

GHSA

Arbitrary file read using percent-encoded relative paths in FileMiddleware↗2023-06-09

▶

OSV

Arbitrary file read using percent-encoded relative paths in FileMiddleware↗2023-06-09

▶

📄Research Papers

arXiv

Software Vulnerability Prediction in Low-Resource Languages: An Empirical Study of CodeBERT and ChatGPT↗2024-04-26

▶