2011938 – (CVE-2021-40978) CVE-2021-40978 mkdocs: Directory traversal in dev-server

Bug 2011938 (CVE-2021-40978) - CVE-2021-40978 mkdocs: Directory traversal in dev-server

Summary: CVE-2021-40978 mkdocs: Directory traversal in dev-server

Keywords:
Status:	NEW
Alias:	CVE-2021-40978
Product:	Security Response
Classification:	Other
Component:	vulnerability
Sub Component:
Version:	unspecified
Hardware:	All
OS:	Linux
Priority:	medium
Severity:	medium
Target Milestone:	---
Assignee:	Nobody
QA Contact:
Docs Contact:
URL:
Whiteboard:
Depends On:	2011941 2011940
Blocks:	2011942
TreeView+	depends on / blocked

Reported:	2021-10-07 19:08 UTC by Pedro Sampaio
Modified:	2023-07-07 08:34 UTC (History)
CC List:	2 users (show)
Fixed In Version:
Doc Type:	If docs needed, set a value
Doc Text:	Mkdocs 1.2.2 allows directory traversal through the builtin development server which response on port 8000.
Clone Of:
Environment:
Last Closed:
Embargoed:

Attachments	(Terms of Use)

Description Pedro Sampaio 2021-10-07 19:08:07 UTC

The mkdocs 1.2.2 built-in dev-server allows directory traversal using the port 8000, enabling remote exploitation to obtain :sensitive information.

References:

https://github.com/nisdn/CVE-2021-40978
https://github.com/mkdocs/mkdocs

Comment 1 Pedro Sampaio 2021-10-07 19:08:31 UTC

Created mkdocs tracking bugs for this issue:

Affects: epel-7 [bug 2011941]
Affects: fedora-all [bug 2011940]

Comment 2 Sandro Mani 2021-10-08 09:31:22 UTC

Upstream issue: https://github.com/mkdocs/mkdocs/issues/2601

Comment 3 lnacshon 2021-10-11 07:53:36 UTC

seems that the service is using not affected version mkdocs-0.17.5 but still filing a tracker

Note You need to log in before you can comment on or make changes to this bug.