CVE-2023-40274: 
Rust vulnerability analysis and mitigation

An issue was discovered in zola 0.13.0 through 0.17.2. The custom implementation of a web server, available via the "zola serve" command, allows directory traversal. The handle_request function, used by the server to process HTTP requests, does not account for sequences of special path control characters (../) in the URL when serving a file, which allows one to escape the webroot of the server and read arbitrary files from the filesystem (NVD).

The vulnerability exists in the handle_request function within zola/src/cmd/serve.rs. The application only checks for a trusted path prefix but does not fully resolve the path. Since the webroot directory is prepended to each path, the security check can be bypassed as the path still starts with the trusted prefix even when using path traversal sequences. The CVSS v3.1 base score is 7.5 HIGH with vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N (NVD, GitHub Issue).

The vulnerability allows attackers to read arbitrary files from the filesystem of machines running the zola serve command. This could lead to exposure of sensitive system files and information disclosure (GitHub Issue).

The vulnerability has been patched by using fs canonicalize to prevent path traversal attacks. Users should upgrade to a version after 0.17.2 that includes this fix (GitHub PR).