CVE-2020-36565 :: Enginsight Vulnerability Database

Provider	Type	Base Score	Atk. Vector	Atk. Complexity	Priv. Required	Vector
NIST	Primary	5.3 MEDIUM	NETWORK	LOW	NONE	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
CISA-ADP	ADP	5.3 MEDIUM	NETWORK	LOW	NONE	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N

Base Score

CVSS 3.x

EPSS Score

Percentile: 52%

Affected Products (NVD)

Vendor	Product	Version
labstack	echo	𝑥 < 4.2.0

𝑥

= Vulnerable software versions

Debian Releases

Debian Product

Codename

golang-github-labstack-echo

bookworm	4.2.1-3 fixed
sid	4.12.0-1 fixed
trixie	4.12.0-1 fixed

golang-github-labstack-echo.v2

bullseye

2.2.0-2

fixed

golang-github-labstack-echo.v3

bullseye

3.3.10-1

fixed

Ubuntu Releases

Ubuntu Product

Codename

golang-github-labstack-echo

bionic	dne
focal	dne
jammy	needs-triage
kinetic	ignored
lunar	ignored
mantic	ignored
noble	needs-triage
trusty	ignored
xenial	ignored

Known Exploits!

Common Weakness Enumeration

CWE-22 - Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')
The software uses external input to construct a pathname that is intended to identify a file or directory that is located underneath a restricted parent directory, but the software does not properly neutralize special elements within the pathname that can cause the pathname to resolve to a location that is outside of the restricted directory.

References

https://github.com/labstack/echo/commit/4422e3b66b9fd498ed1ae1d0242d660d0ed3faaa

https://github.com/labstack/echo/pull/1718

https://pkg.go.dev/vuln/GO-2021-0051

https://github.com/labstack/echo/commit/4422e3b66b9fd498ed1ae1d0242d660d0ed3faaa

https://github.com/labstack/echo/pull/1718

https://pkg.go.dev/vuln/GO-2021-0051