| Name | CVE-2020-36565 |
| Description | Due to improper sanitization of user input on Windows, the static file handler allows for directory traversal, allowing an attacker to read files outside of the target directory that the server has permission to read. |
| Source | CVE (at NVD; CERT, LWN, oss-sec, fulldisc, Debian ELTS, Red Hat, Ubuntu, Gentoo, SUSE bugzilla/CVE, GitHub advisories/code/issues, web search, more) |
The table below lists information on source packages.
| Source Package | Release | Version | Status |
|---|---|---|---|
| golang-github-labstack-echo (PTS) | bookworm | 4.2.1-3 | fixed |
| forky, sid, trixie | 4.12.0-1 | fixed | |
| golang-github-labstack-echo.v2 (PTS) | bullseye | 2.2.0-2 | fixed |
| golang-github-labstack-echo.v3 (PTS) | bullseye | 3.3.10-1 | fixed |
The information below is based on the following data on fixed versions.
| Package | Type | Release | Fixed Version | Urgency | Origin | Debian Bugs |
|---|---|---|---|---|---|---|
| golang-github-labstack-echo | source | (unstable) | (not affected) | |||
| golang-github-labstack-echo.v2 | source | (unstable) | (not affected) | |||
| golang-github-labstack-echo.v3 | source | (unstable) | (not affected) |
- golang-github-labstack-echo <not-affected> (Windows-specific)
- golang-github-labstack-echo.v2 <not-affected> (Windows-specific)
- golang-github-labstack-echo.v3 <not-affected> (Windows-specific)
https://github.com/labstack/echo/pull/1718
https://github.com/labstack/echo/commit/4422e3b66b9fd498ed1ae1d0242d660d0ed3faaa
https://pkg.go.dev/vuln/GO-2021-0051