Skip to content

Nim's rst parser sandboxed mode allows include which can embed any local file

Critical
dom96 published GHSA-ggrq-h43f-3w7m Jan 30, 2022

Package

docutils (Nim)

Affected versions

<1.6.2

Patched versions

None

Description

See GHSA-q3vh-x957-wr75

Severity

Critical

CVE ID

CVE-2022-23602

Weaknesses

Path Traversal: '../filedir'

The product uses external input to construct a pathname that should be within a restricted directory, but it does not properly neutralize ../ sequences that can resolve to a location that is outside of that directory. Learn more on MITRE.