1191938 – (CVE-2020-27304) VUL-1: CVE-2020-27304: civetweb: missing uploaded filepath validation in the default form-based file upload mechanism

Bug 1191938 (CVE-2020-27304) - VUL-1: CVE-2020-27304: civetweb: missing uploaded filepath validation in the default form-based file upload mechanism

Summary: VUL-1: CVE-2020-27304: civetweb: missing uploaded filepath validation in the ...

Status:	RESOLVED FIXED

Alias:	CVE-2020-27304

Product:	openSUSE Distribution
Classification:	openSUSE
Component:	Security (show other bugs)
Version:	Leap 15.3
Hardware:	Other Other

Priority:	P4 - Low Severity: Minor (vote)
Target Milestone:	---
Assignee:	Axel Braun
QA Contact:	Security Team bot

URL:	https://smash.suse.de/issue/313299/
Whiteboard:
Keywords:

Depends on:
Blocks:

Clone This Bug

Reported:	2021-10-22 07:07 UTC by Gabriele Sonnu
Modified:	2022-05-18 13:20 UTC (History)
CC List:	1 user (show)

See Also:
Found By:	Security Response Team
Services Priority:
Business Priority:
Blocker:	---
Marketing QA Status:	---
IT Deployment:	---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Gabriele Sonnu 2021-10-22 07:07:54 UTC

The CivetWeb web library does not validate uploaded filepaths when running on an
OS other than Windows, when using the built-in HTTP form-based file upload
mechanism, via the mg_handle_form_request API. Web applications that use the
file upload form handler, and use parts of the user-controlled filename in the
output path, are susceptible to directory traversal

References:
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2020-27304
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-27304
https://jfrog.com/blog/cve-2020-27304-rce-via-directory-traversal-in-civetweb-http-server/
https://groups.google.com/g/civetweb/c/yPBxNXdGgJQ

Comment 1 Gabriele Sonnu 2021-10-22 07:08:49 UTC

Affected packages:

 - openSUSE:Backports:SLE-15-SP2/civetweb  1.11
 - openSUSE:Backports:SLE-15-SP3/civetweb  1.14
 - openSUSE:Backports:SLE-15-SP4/civetweb  1.14
 - openSUSE:Factory/civetweb               1.14

Please update them to a non-vulnerable version (>=1.15).

Comment 2 Axel Braun 2021-10-22 10:19:04 UTC

SR https://build.opensuse.org/request/show/926908 on the way to Factory

Comment 3 OBSbugzilla Bot 2021-10-22 10:40:07 UTC

This is an autogenerated message for OBS integration:
This bug (1191938) was mentioned in
https://build.opensuse.org/request/show/926910 15.2 / civetweb
https://build.opensuse.org/request/show/926911 15.3 / civetweb
https://build.opensuse.org/request/show/926912 Backports:SLE-15-SP4 / civetweb

Comment 4 Swamp Workflow Management 2021-10-31 20:29:20 UTC

openSUSE-SU-2021:1424-1: An update that fixes one vulnerability is now available.

Category: security (moderate)
Bug References: 1191938
CVE References: CVE-2020-27304
JIRA References: 
Sources used:
openSUSE Leap 15.2 (src):    civetweb-1.15-lp152.2.3.1

Comment 5 Axel Braun 2022-01-17 16:26:33 UTC

As the updated version are already shipped I close the bug

Comment 6 OBSbugzilla Bot 2022-05-05 16:40:07 UTC

This is an autogenerated message for OBS integration:
This bug (1191938) was mentioned in
https://build.opensuse.org/request/show/975222 15.3 / civetweb

Comment 7 Swamp Workflow Management 2022-05-18 13:20:24 UTC

openSUSE-SU-2022:0136-1: An update that fixes 15 vulnerabilities is now available.

Category: security (moderate)
Bug References: 1191938,1194547,1199047
CVE References: CVE-2020-27304,CVE-2021-4140,CVE-2022-22737,CVE-2022-22738,CVE-2022-22739,CVE-2022-22740,CVE-2022-22741,CVE-2022-22742,CVE-2022-22743,CVE-2022-22744,CVE-2022-22745,CVE-2022-22746,CVE-2022-22747,CVE-2022-22748,CVE-2022-22751
JIRA References: 
Sources used:
openSUSE Leap 15.3 (src):    MozillaFirefox-91.5.0-152.12.1, civetweb-1.15-lp153.2.3.1