CVE-2020-36559: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')

December 28, 2022 (updated February 7, 2023)

Due to improper santization of user input, HTTPEngine.Handle allows for directory traversal, allowing an attacker to read files outside of the target directory that the server has permission to read.

References

github.com/advisories/GHSA-vp56-r7qv-783v
github.com/go-aah/aah/commit/881dc9f71d1f7a4e8a9a39df9c5c081d3a2da1ec
github.com/go-aah/aah/issues/266
github.com/go-aah/aah/pull/267
nvd.nist.gov/vuln/detail/CVE-2020-36559
pkg.go.dev/vuln/GO-2020-0033

Code Behaviors & Features

Detect and mitigate CVE-2020-36559 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →