CVE-2019-17640

In Eclipse Vert.x 3.4.x up to 3.9.4, 4.0.0.milestone1, 4.0.0.milestone2, 4.0.0.milestone3, 4.0.0.milestone4, 4.0.0.milestone5, 4.0.0.Beta1, 4.0.0.Beta2, and 4.0.0.Beta3, StaticHandler doesn't correctly processes back slashes on Windows Operating systems, allowing, escape the webroot folder to the current working directory.

Published: Oct 15, 2020
Updated: Nov 8, 2023
CVE: CVE-2019-17640
GHSA: GHSA-vjw7-6gfq-6wf5
Severity: Critical
Exploit:

CVSS v3:

Severity: Critical
Score: 9.8
AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

CVSS v2:

Severity: High
Score: 7.5
AV:N/AC:L/Au:N/C:P/I:P/A:P

CWEs:

OWASP TOP 10:

A5 - Broken Access Control

Affected Software
References

Software	From	Fixed in
eclipse / vert.x	4.0.0-milestone2	4.0.0-milestone2.x
eclipse / vert.x	4.0.0-milestone3	4.0.0-milestone3.x
eclipse / vert.x	4.0.0-milestone4	4.0.0-milestone4.x
eclipse / vert.x	4.0.0-milestone5	4.0.0-milestone5.x
eclipse / vert.x	4.0.0-beta1	4.0.0-beta1.x
eclipse / vert.x	4.0.0-beta2	4.0.0-beta2.x
eclipse / vert.x	4.0.0-beta3	4.0.0-beta3.x
eclipse / vert.x	4.0.0-milestone1	4.0.0-milestone1.x
eclipse / vert.x	3.4.0	3.9.4.x
io.vertx / vertx-web	3.0.0	3.9.4

Vulnerability Database

CVE-2019-17640

Deep Security Visibility Without the Complexity