CVE-2020-27304

NameCVE-2020-27304
DescriptionThe CivetWeb web library does not validate uploaded filepaths when running on an OS other than Windows, when using the built-in HTTP form-based file upload mechanism, via the mg_handle_form_request API. Web applications that use the file upload form handler, and use parts of the user-controlled filename in the output path, are susceptible to directory traversal
SourceCVE (at NVD; CERT, LWN, oss-sec, fulldisc, Red Hat, Ubuntu, Gentoo, SUSE bugzilla/CVE, GitHub advisories/code/issues, web search, more)

Vulnerable and fixed packages

The table below lists information on source packages.

Source PackageReleaseVersionStatus
civetweb (PTS)bullseye1.13+dfsg-5vulnerable
bookworm1.15+dfsg-4fixed
sid, trixie1.16+dfsg-2fixed

The information below is based on the following data on fixed versions.

PackageTypeReleaseFixed VersionUrgencyOriginDebian Bugs
civetwebsource(unstable)1.15+dfsg-1unimportant

Notes

vulnerable code is an example, not packaged by Debian but present in source package
https://groups.google.com/g/civetweb/c/yPBxNXdGgJQ
https://github.com/civetweb/civetweb/commit/b2ed60c589172b37f3d705c69d84313eeb8348b1
https://github.com/civetweb/civetweb/commit/e489ff4f05647126ffa62d3a54f50bf7b7380776#diff-da20af5c7c76edbce3228777f142173af544c0202af876e8d5618f839f9ab2ac
Search for package or bug name: Reporting problems