Miggo Logo

CVE-2020-15239:
Directory Traversal vulnerability in GET/PUT allows attackers to Disclose Information or Write Files via a crafted GET/PUT request

3.5

CVSS Score
3.1

Basic Information

EPSS Score
0.32983%
Published
10/6/2020
Updated
11/19/2024
KEV Status
No
Technology
TechnologyPython

Technical Details

CVSS Vector
CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:L/I:N/A:N
Package NameEcosystemVulnerable VersionsFirst Patched Version
xmpp-http-uploadpip< 0.4.00.4.0

Vulnerability Intelligence
Miggo AIMiggo AI

Miggo AIRoot Cause Analysis

The vulnerability stemmed from improper path sanitization in sanitized_join, which used .absolute() instead of proper path resolution. This function was directly used by get_info (for GET requests) and put_file (for PUT requests) to handle user-controlled paths. The commit patching the issue replaced sanitized_join with Flask's safe_join, confirming these functions were the attack vectors. The CWE-22 alignment and advisory descriptions explicitly attribute the issue to path traversal in these handlers.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

### Imp**t #### In*orm*tion *is*losur* W**n t** **T m*t*o* is *tt**k**, *tt**k*rs **n r*** *il*s w*i** **v* * `.**t*` su**ix *n* w*i** *r* ***omp*ni** *y * JSON *il* wit* t** `.m*t*` su**ix. T*is **n l*** to In*orm*tion *is*losur* *n* in som* s**r*

Reasoning

T** vuln*r**ility st*mm** *rom improp*r p*t* s*nitiz*tion in s*nitiz**_join, w*i** us** .**solut*() inst*** o* prop*r p*t* r*solution. T*is *un*tion w*s *ir**tly us** *y **t_in*o (*or **T r*qu*sts) *n* put_*il* (*or PUT r*qu*sts) to **n*l* us*r-*ontr