CVE-2021-40978 - Path Traversal.

[farinap5]

Hey!

We have verified a security flaw in the current version of MKdocs, a path traversal failure affecting the built-in dev-server.

That flaw turns the server susceptible to providing data outside the scope of the application allowing anyone to request sensitive files.

If you need further information, don't hesitate to get in touch with me.

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-40978
https://github.com/nisdn/CVE-2021-40978

[facelessuser]

It should be mentioned the dev server is known to not be secure and should not be used in a sensitive environment. The security flaw is using the dev-server in an unsafe way, e.g., as a public server and not just as a development server.

[oprypin]

Thanks for the report. Perhaps you could try out with the fix in #2604.

[LFKoning]

Hi @oprypin,

Stumbled upon this issue after using pip-audit; seems this vulnerability was fixed in 1.2.3 (#2604), but unfortunately it is still listed as active in the PyPA vulnerability advisory-database: https://github.com/pypa/advisory-database/blob/main/vulns/mkdocs/PYSEC-2021-878.yaml. Is there any way to correct that information?

Cheers!

[oprypin]

@LFKoning thanks for bringing this up. I don't know, your guess is as good as mine. Maybe someone would need to suggest an edit in the repository that you linked? Could you try to search around?

[oprypin]

That file is a mess.. the only versions are 1.2, 1.2.1, 1.2.2
but it lists every version that ever existed 😂

[LFKoning]

@oprypin thanks for the replies.

And yeah.. It's not pretty. I'll search around if anything can be done about it. Seems like that database is compiled from yet another database...

I'll report back here if I have more info.

[andreportela]

Any news on this?