{ "schema_version": "1.4.0", "id": "GHSA-5m2h-7rf2-rpx6", "modified": "2023-12-07T17:03:44Z", "published": "2022-09-15T00:00:14Z", "aliases": [ "CVE-2022-40734" ], "summary": "UniSharp Laravel Filemanager directory traversal vulnerability", "details": "UniSharp laravel-filemanager (aka Laravel Filemanager) with `league/flysystem` version `< 2.0.0` allows download?working_dir=%2F.. directory traversal to read arbitrary files, as exploited in the wild in June 2022.\n\nSince `v2.6.4`, UniSharp laravel-filemanager (aka Laravel Filemanager) requires users to install `league/flysystem` version `>= 2.0.0`.", "severity": [ { "type": "CVSS_V3", "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N" } ], "affected": [ { "package": { "ecosystem": "Packagist", "name": "unisharp/laravel-filemanager" }, "ranges": [ { "type": "ECOSYSTEM", "events": [ { "introduced": "0" }, { "fixed": "2.6.4" } ] } ] } ], "references": [ { "type": "ADVISORY", "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-40734" }, { "type": "WEB", "url": "https://github.com/UniSharp/laravel-filemanager/issues/1150" }, { "type": "WEB", "url": "https://github.com/UniSharp/laravel-filemanager/issues/1150#issuecomment-1320186966" }, { "type": "WEB", "url": "https://github.com/UniSharp/laravel-filemanager/issues/1150#issuecomment-1825310417" }, { "type": "WEB", "url": "https://github.com/UniSharp/laravel-filemanager/commit/8a357d02e8f54ddf130961c64ff2cfc1882bbfcf" }, { "type": "PACKAGE", "url": "https://github.com/UniSharp/laravel-filemanager" } ], "database_specific": { "cwe_ids": [ "CWE-22" ], "severity": "MODERATE", "github_reviewed": true, "github_reviewed_at": "2022-09-16T17:08:22Z", "nvd_published_at": "2022-09-14T23:15:00Z" } }