PT-2021-15459 · Tyk · Tyk Gateway

Calabdean

Published

2021-03-15

Updated

2021-03-18

CVE-2021-23357

CVSS v3.1

5.3

Medium

Vector

AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L

Name of the Vulnerable Software and Affected Versions Tyk Gateway versions (affected versions not specified)

Description The issue allows for Directory Traversal, enabling the deletion of arbitrary JSON files on the disk where Tyk is running. This is achieved through the handleAddOrUpdateApi function, which uses the APIID provided by the user to create a file on disk. If a file with the same name already exists, it will be deleted and then re-created with the contents of the API creation request.

Recommendations At the moment, there is no information about a newer version that contains a fix for this vulnerability.

Exploit

Path traversal

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-22

Related Identifiers

CVE-2021-23357

SNYK-GOLANG-GITHUBCOMTYKTECHNOLOGIESTYKGATEWAY-1078516

Affected Products

Tyk Gateway

PT-2021-15459 · Tyk · Tyk Gateway

CVE-2021-23357

Weakness Enumeration

Related Identifiers

Affected Products

References · 4