Arbitrary File Read Affecting github.com/vapor/vapor package, versions >=4.0.0-rc.2.5 <4.29.4


Severity

Recommended
0.0
high
0
10

CVSS assessment by Snyk's Security Team. Learn more

Threat Intelligence

EPSS
1.53% (72nd percentile)

Do your applications use this vulnerable package?

In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.

Test your applications
  • Snyk IDSNYK-SWIFT-VAPORVAPOR-3097831
  • published6 Nov 2022
  • disclosed2 Nov 2022
  • creditLee M (lmcd)

Introduced: 2 Nov 2022

CVE-2020-15230  (opens in a new tab)
CWE-22  (opens in a new tab)

How to fix?

Upgrade vapor/vapor to version 4.29.4 or higher.

Overview

vapor/vapor is an a server-side Swift HTTP web framework.

Affected versions of this package are vulnerable to Arbitrary File Read. This can be caused by using percent-encoded relative paths in FileMiddleware.

CVSS Base Scores

version 3.1