PT-2022-17193 · Unknown · Drogonframework/Drogon

Kirill89

Published

2022-02-21

Updated

2022-02-28

CVE-2022-25297

CVSS v3.1

8.8

High

Vector

AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Name of the Vulnerable Software and Affected Versions drogonframework/drogon versions prior to 1.7.5

Description The issue arises from the unsafe handling of file names during upload using the HttpFile::save() method, potentially allowing attackers to write files to arbitrary locations outside the designated target folder.

Recommendations For versions prior to 1.7.5, update to version 1.7.5 or later to resolve the issue. As a temporary workaround, consider restricting the use of the HttpFile::save() method until a patch is available.

Exploit

Fix

Files Accessible to External Parties

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-552

Related Identifiers

CVE-2022-25297

SNYK-UNMANAGED-DROGONFRAMEWORKDROGON-2407243

Affected Products

Drogonframework/Drogon

PT-2022-17193 · Unknown · Drogonframework/Drogon

CVE-2022-25297

Weakness Enumeration

Related Identifiers

Affected Products

References · 7