Description

NGINX is a web server which can also be used as a reverse proxy, load balancer, mail proxy and HTTP cache.
The NGINX alias directive defines a replacement for the specified location.
For example, with the following configuration: 

location /i/ {
    alias /data/w3/images/;
}
on request of /i/top.gif, the file /data/w3/images/top.gif will be sent.

But, if the location doesn't ends with directory separator (i.e. /): 
location /i {
    alias /data/w3/images/;
}
on request of /i../app/config.py, the file /data/w3/app/config.py will be sent.

The incorrect configuration of the alias could allow an attacker to read file stored outside the target folder.

Remediation

Find all NGINX alias directives and make sure that the parent prefixed location ends with directory separator.

References

Module ngx_http_core_module

[alias_traversal] Path traversal via misconfigured alias

Related Vulnerabilities

Ruby on Rails Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') Vulnerability (CVE-2016-2097)

WordPress Plugin WordPress Download Manager Multiple Vulnerabilities (3.1.24)

WordPress Plugin NextGEN Gallery-WordPress Gallery Local File Inclusion (2.1.56)

Oracle Business Intelligence Adfresource Path traversal CVE-2019-2588

Ruby on Rails directory traversal vulnerability

Severity

High

Classification

CWE-22 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:N CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:H/SI:N/SA:N

Tags

Directory Traversal