CVE-2020-15230

Arbitrary file read un Vapor

CVSS 8.5 HIGHEPSS 1.5%CWE-22

In short

Vapor web framework versions before 4.29.4 have a flaw in FileMiddleware that allows attackers to read any file on the server by manipulating file paths. This is dangerous because attackers can access sensitive data like configuration files or private keys.

Technical detail

Path traversal vulnerability in Vapor's FileMiddleware (CWE-22) allows unauthenticated attackers to bypass directory restrictions and read arbitrary files on the filesystem. The vulnerability requires only that FileMiddleware is enabled; exploitation occurs through crafted requests with path traversal sequences that are not properly sanitized before file access.

Summary generated and translated by AI from the official description.

Vapor is a web framework for Swift. In Vapor before version 4.29.4, Attackers can access data at arbitrary filesystem paths on the same host as an application. Only applications using FileMiddleware are affected. This is fixed in version 4.29.4.

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:H/A:N

Affected products

vapor · vapor

Want to know if your infrastructure is exposed to this?

Talk to TrueHacking →

References

https://github.com/vapor/vapor/commit/cf1651f7ff76515593f4d8ca6e6e15d2247fe255 https://github.com/vapor/vapor/pull/2500 https://github.com/vapor/vapor/security/advisories/GHSA-vcvg-xgr8-p5gq