Community
Participate
Working Groups
I am requesting a CVE, the details will be provided later as a comment.
Assigned CVE ID CVE-2018-12542
here are the CVE infos: versions: 3.0.0, 3.1.0, 3.2.0, 3.2.1, 3.3.0.CR1, 3.3.0.CR2, 3.3.0, 3.3.1, 3.3.2, 3.3.3, 3.4.0.Beta1, 3.4.0, 3.4.1, 3.4.2, 3.5.0.Beta1, 3.5.0, 3.5.1, 3.5.2.CR1, 3.5.2.CR2, 3.5.2.CR3, 3.5.2, 3.5.3 - description: The StaticHandler uses external input to construct a pathname that should be within a restricted directory, but it does not properly neutralize '\' (forward slashes) sequences that can resolve to a location that is outside of that directory when running on Windows Operating Systems. This was reported by Vishwanath Viraktamath <vviraktamath@vmware.com> - CWE category: https://cwe.mitre.org/data/definitions/33.html this was fixed in the 3.5.4 version that was released today, the project issue is https://github.com/vert-x3/vertx-web/issues/1025
Can you summarize the versions as a range? Or is it really just those specific versions?
Please update : \ is Backword Slash and please update the same in CVE database. -Vishwanath Viraktamath (In reply to Julien Viet from comment #2) > here are the CVE infos: > > versions: 3.0.0, 3.1.0, 3.2.0, 3.2.1, 3.3.0.CR1, 3.3.0.CR2, 3.3.0, 3.3.1, > 3.3.2, 3.3.3, 3.4.0.Beta1, 3.4.0, 3.4.1, 3.4.2, 3.5.0.Beta1, 3.5.0, 3.5.1, > 3.5.2.CR1, 3.5.2.CR2, 3.5.2.CR3, 3.5.2, 3.5.3 > - description: The StaticHandler uses external input to construct a > pathname that should be within a restricted directory, but it does not > properly neutralize '\' (forward slashes) sequences that can resolve to a > location that is outside of that directory when running on Windows Operating > Systems. This was > reported by Vishwanath Viraktamath <vviraktamath@vmware.com> > - CWE category: https://cwe.mitre.org/data/definitions/33.html > > this was fixed in the 3.5.4 version that was released today, the project > issue is https://github.com/vert-x3/vertx-web/issues/1025