CVE-2020-36559 — Path Traversal in aahframe.work

Description

Due to improper sanitization of user input, HTTPEngine.Handle allows for directory traversal, allowing an attacker to read files outside of the target directory that the server has permission to read.

How to fix CVE-2020-36559

To remediate CVE-2020-36559, upgrade the affected package to a fixed version below.

Go/aahframe.work—upgrade to 0.12.4 or later
—upgrade to 0.12.4 or later
—upgrade to 0.12.4 or later

Is CVE-2020-36559 being exploited?

Low — EPSS is 2.0%, meaning exploitation activity has not been observed at scale.

Affected packages (3)

from 0, < 0.12.4
from 0, < 0.12.4
from 0, < 0.12.4

CVSS scores

Source	Version	Severity	Vector
osv	CVSS 3.1	HIGH7.5	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

References (6)

ADVISORYnvd.nist.gov/vuln/detail/CVE-2020-36559
PATCHgithub.com/go-aah/aah
WEBgithub.com/go-aah/aah/commit/881dc9f71d1f7a4e8a9a39df9c5c081d3a2da1ec
WEBgithub.com/go-aah/aah/issues/266
WEBgithub.com