Vulnerability Report: GO-2021-0051

CVE-2020-36565, GHSA-j453-hm5x-c46w
Affects: github.com/labstack/echo/v4
Published: Apr 14, 2021
Modified: May 20, 2024

Due to improper sanitization of user input on Windows, the static file handler allows for directory traversal, allowing an attacker to read files outside of the target directory that the server has permission to read.

Affected Packages

Path

Go Versions

Symbols
github.com/labstack/echo/v4

before v4.1.18-0.20201215153152-4422e3b66b9f
- Echo.Static
- Group.Static

Aliases

CVE-2020-36565
GHSA-j453-hm5x-c46w

References

https://github.com/labstack/echo/pull/1718
https://github.com/labstack/echo/commit/4422e3b66b9fd498ed1ae1d0242d660d0ed3faaa
https://vuln.go.dev/ID/GO-2021-0051.json

Credits

@little-cui (Apache ServiceComb)

Feedback

See anything missing or incorrect? Suggest an edit to this report.

?	: This menu
/	: Search site
f or F	: Jump to
y or Y	: Canonical URL