CVE-2020-36565 :: Enginsight Vulnerability Database

Provider	Type	Base Score	Atk. Vector	Atk. Complexity	Priv. Required	Vector
NIST	NIST	5.3 MEDIUM	NETWORK	LOW	NONE	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
Go	CNA	---				---
CVE	ADP	---				---
CISA-ADP	ADP	5.3 MEDIUM	NETWORK	LOW	NONE	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N

Base Score

CVSS 3.x

EPSS Score

Percentile: 69%

Vendor	Product	Version
labstack	echo	𝑥 < 4.2.0

𝑥

= Vulnerable software versions

Debian Releases

Debian Product

Codename

golang-github-labstack-echo

bookworm	4.2.1-3 fixed
sid	4.12.0-1 fixed
trixie	4.12.0-1 fixed

golang-github-labstack-echo.v2

bullseye

2.2.0-2

fixed

golang-github-labstack-echo.v3

bullseye

3.3.10-1

fixed

Ubuntu Releases

Ubuntu Product

Codename

golang-github-labstack-echo

noble	needs-triage
mantic	ignored
lunar	ignored
kinetic	ignored
jammy	needs-triage
focal	dne
bionic	dne
xenial	ignored
trusty	ignored

Known Exploits!

Common Weakness Enumeration

CWE-22 - Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')
The software uses external input to construct a pathname that is intended to identify a file or directory that is located underneath a restricted parent directory, but the software does not properly neutralize special elements within the pathname that can cause the pathname to resolve to a location that is outside of the restricted directory.

References

https://github.com/labstack/echo/commit/4422e3b66b9fd498ed1ae1d0242d660d0ed3faaa

https://github.com/labstack/echo/pull/1718

https://pkg.go.dev/vuln/GO-2021-0051

https://github.com/labstack/echo/commit/4422e3b66b9fd498ed1ae1d0242d660d0ed3faaa

https://github.com/labstack/echo/pull/1718

https://pkg.go.dev/vuln/GO-2021-0051