CVE-2023-40587 — Path Traversal in Pyramid

CWE-22 — Path Traversal6 documents5 sources

Severity

5.3MEDIUMNVD

CNA4.3

EPSS

0.3%

top 43.96%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Agendaless Pyramid Pylons Pyramid Fedoraproject Fedora

Timeline

PublishedAug 25

Description

Pyramid is an open source Python web framework. A path traversal vulnerability in Pyramid versions 2.0.0 and 2.0.1 impacts users of Python 3.11 that are using a Pyramid static view with a full filesystem path and have a `index.html` file that is located exactly one directory above the location of the static view's file system path. No further path traversal exists, and the only file that could be disclosed accidentally is `index.html`. Pyramid version 2.0.2 rejects any path that contains a null-…

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:NExploitability: 3.9 | Impact: 1.4

Affected Packages3 packages

▶PyPIpylons/pyramid2.0.0 — 2.0.2

▶NVDagendaless/pyramid2.0 — 2.0.2

▶CVEListV5pylons/pyramid>= 2.0.0, < 2.0.2

Also affects: Fedora 38, 39

Patches

Patch: github.com ↗Patch: github.com ↗Patch: github.com ↗

🔴Vulnerability Details

OSV

Pyramid static view path traversal up one directory↗2023-08-25

▶

CVEList

Pyramid static view path traversal up one directory↗2023-08-25

▶

OSV

CVE-2023-40587: Pyramid is an open source Python web framework↗2023-08-25

▶

GHSA

Pyramid static view path traversal up one directory↗2023-08-25

▶

📋Vendor Advisories

Debian

CVE-2023-40587: python-pyramid - Pyramid is an open source Python web framework. A path traversal vulnerability i...↗2023

▶