PT-2019-12814 · Twentytwenty · 20|20 Storage

Published

2019-08-13

Updated

2019-08-21

CVE-2019-12479

CVSS v3.1

9.1

Critical

Vector

AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N

Name of the Vulnerable Software and Affected Versions 20|20 Storage version 2.11.0

Description An issue in the TwentyTwenty.Storage library allows for a Path Traversal, enabling the creation and reading of files outside the specified basepath in the LocalStorageProvider. If the application does not sanitize user-supplied filenames, this issue can be exploited to read or write arbitrary files.

Recommendations For version 2.11.0, ensure that user-supplied filenames are properly sanitized to prevent exploitation of the Path Traversal issue in the LocalStorageProvider. As a temporary workaround, consider restricting access to the LocalStorageProvider until a patch is available.

Exploit

Fix

Path traversal

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-22

Related Identifiers

CVE-2019-12479

Affected Products

20|20 Storage

PT-2019-12814 · Twentytwenty · 20|20 Storage

CVE-2019-12479

Weakness Enumeration

Related Identifiers

Affected Products

References · 3