CVE-2021-32062
MEDIUMMapServer < 7.0.8, 7.1.x-7.2.x < 7.2.3, 7.3.x-7.4.x < 7.4.5, 7.5.x-7.6.x < 7.6.3 - Path Traversal via Mapfile Loading
Title source: llmDescription
MapServer before 7.0.8, 7.1.x and 7.2.x before 7.2.3, 7.3.x and 7.4.x before 7.4.5, and 7.5.x and 7.6.x before 7.6.3 does not properly enforce the MS_MAP_NO_PATH and MS_MAP_PATTERN restrictions that are intended to control the locations from which a mapfile may be loaded (with MapServer CGI).
References (6)
Core 6
Core References
Release Notes, Vendor Advisory x_refsource_misc
https://mapserver.org/development/changelog/changelog-7-6.html
Release Notes, Vendor Advisory x_refsource_misc
https://mapserver.org/development/changelog/changelog-7-4.html
Release Notes, Vendor Advisory x_refsource_misc
https://mapserver.org/development/changelog/changelog-7-2.html
Release Notes, Vendor Advisory x_refsource_misc
https://mapserver.org/development/changelog/changelog-7-0.html
Mailing List, Third Party Advisory vendor-advisory
x_refsource_fedora
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/FNORAZCJ7AIPJFUY6WGLYIA3QVPWFXFY/
Mailing List, Third Party Advisory vendor-advisory
x_refsource_fedora
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/NYVWUC4EOW5WZAZGPLRTZS5QXNUEBPQ5/
Scores
CVSS v3
5.3
EPSS
0.0148
EPSS Percentile
70.7%
Attack Vector
NETWORK
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N
Details
CWE
CWE-22
Status
published
Products (3)
fedoraproject/fedora
33
fedoraproject/fedora
34
osgeo/mapserver
< 7.0.8
Published
May 06, 2021
Tracked Since
Feb 18, 2026