Vulnerability Description
Due to improper sanitization of user input on Windows, the static file handler allows for directory traversal, allowing an attacker to read files outside of the target directory that the server has permission to read.
CVSS Score
MEDIUM
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| Labstack | Echo | < 4.2.0 |
| Microsoft | Windows | - |
Related Weaknesses (CWE)
References
- https://github.com/labstack/echo/commit/4422e3b66b9fd498ed1ae1d0242d660d0ed3faaaPatchThird Party Advisory
- https://github.com/labstack/echo/pull/1718ExploitPatchThird Party Advisory
- https://pkg.go.dev/vuln/GO-2021-0051Release NotesVendor Advisory
- https://github.com/labstack/echo/commit/4422e3b66b9fd498ed1ae1d0242d660d0ed3faaaPatchThird Party Advisory
- https://github.com/labstack/echo/pull/1718ExploitPatchThird Party Advisory
- https://pkg.go.dev/vuln/GO-2021-0051Release NotesVendor Advisory
FAQ
What is CVE-2020-36565?
CVE-2020-36565 is a vulnerability with a CVSS score of 5.3 (MEDIUM). Due to improper sanitization of user input on Windows, the static file handler allows for directory traversal, allowing an attacker to read files outside of the target directory that the server has pe...
How severe is CVE-2020-36565?
CVE-2020-36565 has been rated MEDIUM with a CVSS base score of 5.3/10. Review the CVSS metrics above for detailed severity breakdown.
Is there a patch for CVE-2020-36565?
Check the references section above for vendor advisories and patch information. Affected products include: Labstack Echo, Microsoft Windows.