CVE-2019-17640 — Path Traversal in Eclipse Vert

Description

In Eclipse Vert.x 3.4.x up to 3.9.4, 4.0.0-milestone1, 4.0.0-milestone2, 4.0.0-milestone3, 4.0.0-milestone4, 4.0.0-milestone5, 4.0.0.Beta1, 4.0.0.Beta2, and 4.0.0.Beta3, StaticHandler doesn't correctly processes back slashes on Windows Operating systems, allowing, escape the webroot folder to the current working directory.

How to fix CVE-2019-17640

To remediate CVE-2019-17640, upgrade the affected package to a fixed version below.

—upgrade to 3.9.4 or later

Is CVE-2019-17640 being exploited?

Low — EPSS is 1.7%, meaning exploitation activity has not been observed at scale.

Affected packages (1)

>= 3.0.0, < 3.9.4

CVSS scores

Source	Version	Severity	Vector
osv	CVSS 3.1	CRITICAL9.8	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

References (9)

ADVISORYnvd.nist.gov/vuln/detail/CVE-2019-17640
WEBbugs.eclipse.org/bugs/show_bug.cgi?id=567416
WEBgithub.com/vert-x3/vertx-web/commit/b12f7c4c6576a8adc3f683b2899de4b0e7d099e4
WEBlists.apache.org/thread.html/r591f6932560c8c46cee87415afed92924a982189fea7f7c9096f8e33@%3Ccommits.pulsar.apache.org%3E