Miggo Logo
Miggo Vulnerability Database
CVE-2020-15101

CVE-2020-15101: freewvs's nested directory structure can interrupt scan

2.8

CVSS Score
3.1

Basic Information

CVE ID
CVE-2020-15101
GHSA ID
GHSA-7pmh-vrww-25xx
EPSS Score
0.39512%
CWE
CWE-674
Published
8/30/2024
Updated
8/30/2024
KEV Status
No
Technology
TechnologyPython

Technical Details

CVSS Vector
CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:U/C:N/I:N/A:L
Package NameEcosystemVulnerable VersionsFirst Patched Version
freewvspip>= 0, < 0.1.10.1.1

Vulnerability Intelligence
Miggo AIMiggo AI

Miggo AIRoot Cause Analysis

The vulnerability stems from the use of os.walk() in the main directory scanning loop without recursion depth control. Python's os.walk() uses recursion internally, and the original implementation allowed unlimited directory nesting. When scanning a directory with >1000 nested subdirectories, this would hit Python's recursion limit, crashing the scan. The commit fixed this by adding a check on root.count(os.sep) to limit recursion depth. The vulnerable code is explicitly shown in the diff as the unmodified os.walk() loop in the 'freewvs' file's main scanning logic.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

### Imp**t * *ir**tory stru*tur* o* mor* t**n **** n*st** *ir**tori*s **n int*rrupt * *r**wvs s**n *u* to Pyt*on's r**ursion limit *n* os.w*lk(). T*is **n ** pro*l*m*ti* in * **s* w**r* *n **ministr*tor s**ns t** *irs o* pot*nti*lly untrust** us*rs.

Reasoning

T** vuln*r**ility st*ms *rom t** us* o* `os.w*lk()` in t** m*in *ir**tory s**nnin* loop wit*out r**ursion **pt* *ontrol. Pyt*on's `os.w*lk()` us*s r**ursion int*rn*lly, *n* t** ori*in*l impl*m*nt*tion *llow** unlimit** *ir**tory n*stin*. W**n s**nnin