uWSGI Path Traversal vulnerability
Description
uWSGI is a software application that "aims at developing a full stack for building hosting services".
The uWSGI PHP plugin before 2.0.17 is vulnerable to Path Traversal Vulnerability when used without specifying the php-allowed-docroot option.
The vulnerability exists due to improper validation of the file path when requesting a resource under the DOCUMENT_ROOT directory which is specified via php-docroot.
A remote attacker could exploit this weakness to read arbitrary files from the vulnerable system using path traversal sequences (..%2f).
Remediation
Upgrade to the latest version uWSGI. This vulnerability was fixed in uWSGI version <strong><span class="bb-dark">2.0.17</span></strong>.