uWSGI is a software application that "aims at developing a full stack for building hosting services".

The uWSGI PHP plugin before 2.0.17 is vulnerable to Path Traversal Vulnerability when used without specifying the php-allowed-docroot option.

The vulnerability exists due to improper validation of the file path when requesting a resource under the DOCUMENT_ROOT directory which is specified via php-docroot.

A remote attacker could exploit this weakness to read arbitrary files from the vulnerable system using path traversal sequences (..%2f).


Upgrade to the latest version uWSGI. This vulnerability was fixed in uWSGI version 2.0.17.


Related Vulnerabilities