Directory Traversal

Module: st

Published: February 6th, 2014

Reported by: Isaac Schlueter

CVE-2014-3744

CWE-22

Vulnerable: <0.2.5
Patched: >=0.2.5

Overview

Versions of st prior to 0.2.5 are affected by a directory traversal vulnerability. Vulnerable versions fail to properly handle URL encoded dots, which caused %2e to be interpreted as . by the filesystem, resulting the potential for an attacker to read sensitive files on the server.

Remediation

Update to version 0.2.5 or later.

References

st Security Status