GHSA-f3vw-587g-r29g

Опубликовано: 03 сент. 2020

Источник: github

Github: Прошло ревью

Описание

Path Traversal in sapper

Versions of sapper prior to 0.27.11 are vulnerable to Path Traversal. It is possible to access sensitive files on the server through HTTP requests containing URL-encoded ../.

You may test a sapper application running in prod mode with curl -vvv http://localhost:3000/client/750af05c3a69ddc6073a/%252e%252e/%252e%252e/%252e%252e/%252e%252e/%252e%252e/%252e%252e/%252e%252e/%252e%252e/etc/passwd.

Recommendation

Upgrade to version 0.27.11 or later.

Ссылки

https://www.npmjs.com/advisories/1494

Пакеты

Наименование

sapper

npm

Затронутые версииВерсия исправления

< 0.27.11

0.27.11

Дефекты

CWE-22

Дефекты

CWE-22