CVE-2021-40978

Advisory

Mkdocs 1.2.3 includes a fix for CVE-2021-40978: Built-in dev-server allows directory traversal using the port 8000, enabling remote exploitation to obtain sensitive information.
NOTE: the vendor doesn't agree this is a security flaw. "It should be mentioned the dev server is known to not be secure and should not be used in a sensitive environment. The security flaw is using the dev-server in an unsafe way, e.g., as a public server and not just as a development server."

Affected package

Affected versions

Fixed versions

Vulnerability changelog

This vulnerability has no description

Resources

• https://github.com/advisories/GHSA-qh9q-34h6-hcv9
• https://nvd.nist.gov/vuln/detail/CVE-2021-40978
• https://github.com/mkdocs/mkdocs/issues/2601
• https://github.com/nisdn/CVE-2021-40978/issues/1
• https://github.com/mkdocs/mkdocs/pull/2604
• https://github.com/mkdocs/mkdocs/pull/2604/commits/cddc453c9d49298e60e7d56fb71130c151cbcbe5
• https://github.com/mkdocs/mkdocs
• https://github.com/mkdocs/mkdocs/releases/tag/1.2.3
• https://github.com/nisdn/CVE-2021-40978
• https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-40978