CVE-2023-40587 – Pyramid static view path traversal up one directory

https://notcve.org/view.php?id=CVE-2023-40587

25 Aug 2023 — Pyramid is an open source Python web framework. A path traversal vulnerability in Pyramid versions 2.0.0 and 2.0.1 impacts users of Python 3.11 that are using a Pyramid static view with a full filesystem path and have a `index.html` file that is located exactly one directory above the location of the static view's file system path. No further path traversal exists, and the only file that could be disclosed accidentally is `index.html`. Pyramid version 2.0.2 rejects any path that contains a null-byte out of ... • https://github.com/Pylons/pyramid/commit/347d7750da6f45c7436dd0c31468885cc9343c85 • CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') •