Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

CVE-2021-40978 - Path Traversal. #2601

Closed
farinap5 opened this issue Oct 8, 2021 · 2 comments · Fixed by #2604
Closed

CVE-2021-40978 - Path Traversal. #2601

farinap5 opened this issue Oct 8, 2021 · 2 comments · Fixed by #2604

Comments

@farinap5
Copy link

farinap5 commented Oct 8, 2021

Hey!

We have verified a security flaw in the current version of MKdocs, a path traversal failure affecting the built-in dev-server.

That flaw turns the server susceptible to providing data outside the scope of the application allowing anyone to request sensitive files.

If you need further information, don't hesitate to get in touch with me.

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-40978
https://github.com/nisdn/CVE-2021-40978

@facelessuser
Copy link
Contributor

It should be mentioned the dev server is known to not be secure and should not be used in a sensitive environment. The security flaw is using the dev-server in an unsafe way, e.g., as a public server and not just as a development server.

@oprypin
Copy link
Member

oprypin commented Oct 10, 2021

Thanks for the report. Perhaps you could try out with the fix in #2604.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

Successfully merging a pull request may close this issue.

3 participants