漏洞信息
尽管我们使用了先进的大模型技术,但其输出仍可能包含不准确或过时的信息。神龙努力确保数据的准确性,但请您根据实际情况进行核实和判断。
Vulnerability Title
WebP Server Go < 0.15.0 Path Traversal via Backslash Encoding on Windows
Vulnerability Description
WebP Server Go through 0.14.4 contains a path traversal vulnerability on Windows that allows unauthenticated attackers to read files outside the configured IMG_PATH directory by sending requests with percent-encoded backslashes (%5C) that bypass the path.Clean() sanitization in handler/router.go. Attackers can exploit the discrepancy between Go's forward-slash-only path normalization and Windows file system APIs that treat backslashes and forward slashes as equivalent to access arbitrary files on the host filesystem accessible to the server process.
CVSS Information
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
Vulnerability Type
对路径名的限制不恰当(路径遍历)
Vulnerability Title
WebP Server 路径遍历漏洞
Vulnerability Description
WebP Server WebP Server是WebP Server公司开源的一个基于 Go 语言的图片服务器,能够实时将 JPEG、PNG、BMP、GIF、SVG 等格式的图片自动转换为 WebP 或 AVIF 格式并压缩输出,无需修改原始 URL 即可实现图片优化加速。 WebP Server 0.14.4及之前版本存在路径遍历漏洞,该漏洞源于Windows平台上路径清理不足,允许未经身份验证的攻击者通过发送带有百分号编码反斜杠(%5C)的请求绕过path.Clean()清理,利用Go仅接受正斜杠的
CVSS Information
N/A
Vulnerability Type
N/A