Skip to content

Flaw in CGI mapfile loading makes it possible to bypass security controls. #6313

New issue
New issue
Closed
Closed
Flaw in CGI mapfile loading makes it possible to bypass security controls.#6313
Labels
Security
@sdlime

Description

@sdlime
sdlime
opened on Apr 30, 2021

MapServer developers have identified a critical flaw in the logic associated with processing map parameter. It is possible to specify an arbitrary mapfile that bypasses the MS_MAP_NO_PATH and MS_MAP_PATTERN checks. This issue makes it difficult to easily limit where MapServer can load a mapfile from and applies to versions 4.10 and newer.

--Steve

CVE ID: CVE-2021-32062

Metadata

Metadata

Assignees

No one assigned

    Labels

    Security

    Type

    No type

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions