CVE-2020-15239:
Directory Traversal vulnerability in GET/PUT allows attackers to Disclose Information or Write Files via a crafted GET/PUT request
3.5
CVSS Score
3.1
Basic Information
CVE ID
GHSA ID
EPSS Score
0.32983%
CWE
Published
10/6/2020
Updated
11/19/2024
KEV Status
No
Technology
Python
Technical Details
CVSS Vector
CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:L/I:N/A:N
Package Name | Ecosystem | Vulnerable Versions | First Patched Version |
---|---|---|---|
xmpp-http-upload | pip | < 0.4.0 | 0.4.0 |
Vulnerability Intelligence
Miggo AI
Root Cause Analysis
The vulnerability stemmed from improper path sanitization in sanitized_join, which used .absolute() instead of proper path resolution. This function was directly used by get_info (for GET requests) and put_file (for PUT requests) to handle user-controlled paths. The commit patching the issue replaced sanitized_join with Flask's safe_join, confirming these functions were the attack vectors. The CWE-22 alignment and advisory descriptions explicitly attribute the issue to path traversal in these handlers.