CVE-2022-35920

Summary

Sanic is an opensource python web server/framework. Affected versions of sanic allow access to lateral directories when using app.static if using encoded %2F URLs. Parent directory traversal is not impacted. Users are advised to upgrade. There is no known workaround for this issue.

Affected Software

VendorProductVersion RangeStatus
sanic-orgsanic>= 22.0.0, < 22.6.1affected
sanic-orgsanic>= 21.0.0, < 21.12.2affected
sanic-orgsanic< 20.12.7affected

Weaknesses

  • CWE-22: CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')

ADP Enrichment

CVE Program Container

Additional References

CISA ADP Vulnrichment

  • SSVC:
  • Exploitation: poc
    • Automatable: yes
    • Technical Impact: partial

References