Phoenix-ws source code and data in extensions folder is publicly available · GHSA-c8f7-x2g7-7fxj · GitHub Advisory Database · GitHub

Phoenix-ws source code and data in extensions folder is publicly available

High severity GitHub Reviewed Published May 26, 2022 in NovaAndrom3da/Phoenix • Updated Jan 8, 2023

Package

phoenix-ws (pip)

Affected versions

< 1.0.6

Patched versions

1.0.6

Description

Impact

All of the source code, files, and folders in phoenix_files/extensions/ are available to end users through a simple HTTP GET request.

Patches

The issue has been patched. The users of version 1.0.6 and above are not effected.

References

GHSA-c8f7-x2g7-7fxj

NovaAndrom3da published to NovaAndrom3da/Phoenix

May 26, 2022

Published to the GitHub Advisory Database Jun 2, 2022

Reviewed Jun 2, 2022

Last updated Jan 8, 2023

Severity

High

7.5

/ 10

CVSS base metrics

Attack vector

Network

Attack complexity

Low

Privileges required

None

User interaction

None

Scope

Unchanged

Confidentiality

High

Integrity

None

Availability

None

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N