Skip to content

Flaw in CGI mapfile loading makes it possible to bypass security controls. #6313

Closed
@sdlime

Description

@sdlime

MapServer developers have identified a critical flaw in the logic associated with processing map parameter. It is possible to specify an arbitrary mapfile that bypasses the MS_MAP_NO_PATH and MS_MAP_PATTERN checks. This issue makes it difficult to easily limit where MapServer can load a mapfile from and applies to versions 4.10 and newer.

--Steve

CVE ID: CVE-2021-32062

Metadata

Metadata

Assignees

No one assigned

    Labels

    Type

    No type

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions