CVE-2020-36565

NameCVE-2020-36565
DescriptionDue to improper sanitization of user input on Windows, the static file handler allows for directory traversal, allowing an attacker to read files outside of the target directory that the server has permission to read.
SourceCVE (at NVD; CERT, LWN, oss-sec, fulldisc, Red Hat, Ubuntu, Gentoo, SUSE bugzilla/CVE, GitHub advisories/code/issues, web search, more)

Vulnerable and fixed packages

The table below lists information on source packages.

Source PackageReleaseVersionStatus
golang-github-labstack-echo (PTS)bookworm4.2.1-3fixed
sid, trixie4.12.0-1fixed
golang-github-labstack-echo.v2 (PTS)bullseye2.2.0-2fixed
golang-github-labstack-echo.v3 (PTS)bullseye3.3.10-1fixed

The information below is based on the following data on fixed versions.

PackageTypeReleaseFixed VersionUrgencyOriginDebian Bugs
golang-github-labstack-echosource(unstable)(not affected)
golang-github-labstack-echo.v2source(unstable)(not affected)
golang-github-labstack-echo.v3source(unstable)(not affected)

Notes

- golang-github-labstack-echo <not-affected> (Windows-specific)
- golang-github-labstack-echo.v2 <not-affected> (Windows-specific)
- golang-github-labstack-echo.v3 <not-affected> (Windows-specific)
https://github.com/labstack/echo/pull/1718
https://github.com/labstack/echo/commit/4422e3b66b9fd498ed1ae1d0242d660d0ed3faaa
https://pkg.go.dev/vuln/GO-2021-0051
Search for package or bug name: Reporting problems