The CivetWeb web library does not validate uploaded filepaths when running on an OS other than Windows, when using the built-in HTTP form-based file upload mechanism, via the mg_handle_form_request API. Web applications that use the file upload form handler, and use parts of the user-controlled filename in the output path, are susceptible to directory traversal Reference: https://groups.google.com/g/civetweb/c/yPBxNXdGgJQ https://jfrog.com/blog/cve-2020-27304-rce-via-directory-traversal-in-civetweb-http-server/
Important to mention that this vulnerability does not affect component if at least one of these is true: - You are using the pre-built Windows executable from SourceForge or GitHub releases (no CivetWeb version is affected) - You are using "make" (for Linux) or "cmake" in the civetweb root directory to build the server on your own. - You are building only using files from src/ and include/ but not examples/. - You do not have html form handlers, that allow file upload.
Upstream fix: https://github.com/civetweb/civetweb/commit/b2ed60c589172b37f3d705c69d84313eeb8348b1
This issue has been addressed in the following products: RHACS-3.67-RHEL-8 Via RHSA-2021:4902 https://access.redhat.com/errata/RHSA-2021:4902
This bug is now closed. Further updates for individual products will be reflected on the CVE page(s): https://access.redhat.com/security/cve/cve-2020-27304