CVE-2020-15230
published 2020-10-02CVE-2020-15230: Vapor is a web framework for Swift. In Vapor before version 4.29.4, Attackers can access data at arbitrary filesystem paths on the same host as an application…
PriorityP339medium6.5CVSS 3.1
AVNACLPRLUINSUCHINAN
EPSS
1.53%
71.6th percentile
Vapor is a web framework for Swift. In Vapor before version 4.29.4, Attackers can access data at arbitrary filesystem paths on the same host as an application. Only applications using FileMiddleware are affected. This is fixed in version 4.29.4.
Affected
3 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| github.com | vapor_vapor | >= 4.0.0-rc.2.5 < 4.29.4 | 4.29.4 |
| vapor | vapor | < 4.29.4 | 4.29.4 |
| vapor_project | vapor | < 4.29.4 | 4.29.4 |
CVSS provenance
nvdv3.16.5MEDIUMCVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N
nvdv2.04.0MEDIUMAV:N/AC:L/Au:S/C:P/I:N/A:N
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
Arbitrary file read using percent-encoded relative paths in FileMiddleware
ghsa·2023-06-09
CVE-2020-15230 [MEDIUM] CWE-22 Arbitrary file read using percent-encoded relative paths in FileMiddleware
Arbitrary file read using percent-encoded relative paths in FileMiddleware
### Impact
Attackers can access data at arbitrary filesystem paths on the same host as an application using `FileMiddleware`.
### Patches
Version [4.29.4](https://github.com/vapor/vapor/releases/tag/4.29.4)
### Workarounds
Upgrade to 4.24.4 or later, or disable `FileMiddleware`.
### References
* Introduced in https://github.com/vapor/vapor/pull/2223
* Fixed by https://github.com/vapor/vapor/pull/2500
### For more information
If you have any questions or comments about this advisory:
* Open [an issue](https://github.com/vapor/vapor/issues)
* Email us at [[email protected]](mailto:[email protected])
OSV
Arbitrary file read using percent-encoded relative paths in FileMiddleware
osv·2023-06-09
CVE-2020-15230 [MEDIUM] Arbitrary file read using percent-encoded relative paths in FileMiddleware
Arbitrary file read using percent-encoded relative paths in FileMiddleware
### Impact
Attackers can access data at arbitrary filesystem paths on the same host as an application using `FileMiddleware`.
### Patches
Version [4.29.4](https://github.com/vapor/vapor/releases/tag/4.29.4)
### Workarounds
Upgrade to 4.24.4 or later, or disable `FileMiddleware`.
### References
* Introduced in https://github.com/vapor/vapor/pull/2223
* Fixed by https://github.com/vapor/vapor/pull/2500
### For more information
If you have any questions or comments about this advisory:
* Open [an issue](https://github.com/vapor/vapor/issues)
* Email us at [[email protected]](mailto:[email protected])
No detection rules found.
No public exploits indexed.
https://github.com/vapor/vapor/commit/cf1651f7ff76515593f4d8ca6e6e15d2247fe255https://github.com/vapor/vapor/pull/2500https://github.com/vapor/vapor/security/advisories/GHSA-vcvg-xgr8-p5gqhttps://github.com/vapor/vapor/commit/cf1651f7ff76515593f4d8ca6e6e15d2247fe255https://github.com/vapor/vapor/pull/2500https://github.com/vapor/vapor/security/advisories/GHSA-vcvg-xgr8-p5gq
2020-10-02
Published