Описание
Directory Traversal in node-simple-router
Affected versions of node-simple-router resolve relative file paths, resulting in a directory traversal vulnerability. A malicious actor can use this vulnerability to access files outside of the intended directory root, which may result in the disclosure of private files on the vulnerable system.
Example request:
GET /../../../../../../../../../../etc/passwd HTTP/1.1
host:foo
Recommendation
Update to v0.10.1 or later.
Ссылки
- https://nvd.nist.gov/vuln/detail/CVE-2017-16083
- https://github.com/sandy98/node-simple-router/commit/dfdd52e2e80607af433097d940b3834fd96df488
- https://github.com/JacksonGL/NPM-Vuln-PoC/tree/master/directory-traversal/node-simple-router
- https://github.com/advisories/GHSA-5w8q-x7hc-jhp6
- https://www.npmjs.com/advisories/352
Пакеты
Наименование
node-simple-router
npm
Затронутые версииВерсия исправления
<= 0.10.0
0.10.1
Связанные уязвимости
CVSS3: 7.5
nvd
больше 7 лет назад
node-simple-router is a minimalistic router for Node. node-simple-router is vulnerable to a directory traversal issue, giving an attacker access to the filesystem by placing "../" in the URL.