CVE-2021-40978 - Path Traversal. #2601
Comments
|
It should be mentioned the dev server is known to not be secure and should not be used in a sensitive environment. The security flaw is using the dev-server in an unsafe way, e.g., as a public server and not just as a development server. |
|
Thanks for the report. Perhaps you could try out with the fix in #2604. |
Package update 'Mkdocs': [Fix](mkdocs/mkdocs#2601) for vulnerability [CVE-2021-40978](https://nvd.nist.gov/vuln/detail/CVE-2021-40978)
|
Hi @oprypin, Stumbled upon this issue after using pip-audit; seems this vulnerability was fixed in 1.2.3 (#2604), but unfortunately it is still listed as active in the PyPA vulnerability advisory-database: https://github.com/pypa/advisory-database/blob/main/vulns/mkdocs/PYSEC-2021-878.yaml. Is there any way to correct that information? Cheers! |
|
@LFKoning thanks for bringing this up. I don't know, your guess is as good as mine. Maybe someone would need to suggest an edit in the repository that you linked? Could you try to search around? |
|
That file is a mess.. the only versions are 1.2, 1.2.1, 1.2.2 |
|
@oprypin thanks for the replies. And yeah.. It's not pretty. I'll search around if anything can be done about it. Seems like that database is compiled from yet another database... I'll report back here if I have more info. |
|
Any news on this? |
Hey!
We have verified a security flaw in the current version of MKdocs, a path traversal failure affecting the built-in dev-server.
That flaw turns the server susceptible to providing data outside the scope of the application allowing anyone to request sensitive files.
If you need further information, don't hesitate to get in touch with me.
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-40978
https://github.com/nisdn/CVE-2021-40978
The text was updated successfully, but these errors were encountered: