CVE-2021-35397
HIGHdrogon 1.0.0-beta14-1.6.0 - Unauthenticated Path Traversal in Static Router
Title source: llmDescription
A path traversal vulnerability in the static router for Drogon from 1.0.0-beta14 to 1.6.0 could allow an unauthenticated, remote attacker to arbitrarily read files. The vulnerability is due to lack of proper input validation for requested path. An attacker could exploit this vulnerability by sending crafted HTTP request with specific path to read. Successful exploitation could allow the attacker to read files that should be restricted.
References (4)
Core 4
Core References
Third Party Advisory x_refsource_misc
https://github.com/an-tao/drogon
Exploit, Third Party Advisory x_refsource_misc
https://github.com/an-tao/drogon/blob/834e3eabdd0441ad2bc80c02e8bbfc3b8312c213/lib/src/StaticFileRouter.cc#L62-L67
Third Party Advisory x_refsource_misc
https://github.com/an-tao/drogon/wiki/ENG-02-Installation
Third Party Advisory x_refsource_misc
https://github.com/an-tao/drogon/wiki/ENG-03-Quick-Start#Static-Site
Scores
CVSS v3
7.5
EPSS
0.0401
EPSS Percentile
89.3%
Attack Vector
NETWORK
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
Details
CWE
CWE-22
Status
published
Products (2)
drogon/drogon
1.0.0 (9 CPE variants)
drogon/drogon
1.1.0 - 1.6.0
Published
Aug 04, 2021
Tracked Since
Feb 18, 2026