High severityNVD Advisory· Published Aug 14, 2023· Updated Oct 9, 2024
CVE-2023-40274
CVE-2023-40274
Description
An issue was discovered in zola 0.13.0 through 0.17.2. The custom implementation of a web server, available via the "zola serve" command, allows directory traversal. The handle_request function, used by the server to process HTTP requests, does not account for sequences of special path control characters (../) in the URL when serving a file, which allows one to escape the webroot of the server and read arbitrary files from the filesystem.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
zolacrates.io | >= 0.13.0, <= 0.17.2 | — |
Affected products
4- zola/zoladescription
- osv-coords3 versions
< 0.17.2-r1+ 2 more
- (no CPE)range: < 0.17.2-r1
- (no CPE)range: < 0.17.2-r1
- (no CPE)range: >= 0.13.0, <= 0.17.2
Patches
Vulnerability mechanics
References
4- github.com/advisories/GHSA-xvv9-5j67-3rpqghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2023-40274ghsaADVISORY
- github.com/getzola/zola/issues/2257ghsaWEB
- github.com/getzola/zola/pull/2258ghsaWEB
News mentions
0No linked articles in our index yet.