Closed
Description
MapServer developers have identified a critical flaw in the logic associated with processing map parameter. It is possible to specify an arbitrary mapfile that bypasses the MS_MAP_NO_PATH and MS_MAP_PATTERN checks. This issue makes it difficult to easily limit where MapServer can load a mapfile from and applies to versions 4.10 and newer.
--Steve
CVE ID: CVE-2021-32062