HistoryEditJSON (OSV)

RUSTSEC-2021-0135

Improper validation of Windows paths could lead to directory traversal attack


This advisory has been withdrawn and should be ignored. It is kept only for reference.


Reported
Issued
Package
tower-http (crates.io)
Type
Vulnerability
Categories
Keywords
#directory-traversal #http
Aliases
References
Patched
  • >=0.2.1
  • >=0.1.3, <0.2.0
Affected OSes
  • windows

Description

tower_http::services::fs::ServeDir didn't correctly validate Windows paths meaning paths like /foo/bar/c:/windows/web/screen/img101.png would be allowed and respond with the contents of c:/windows/web/screen/img101.png. Thus users could potentially read files anywhere on the filesystem.

This only impacts Windows. Linux and other unix likes are not impacted by this.

See tower-http#204 for more details.

Advisory available under CC0-1.0 license.