GHSA-g8m7-qhv7-9h5x

Опубликовано: 05 июл. 2019

Источник: github

Github: Прошло ревью

Описание

Path Traversal in serve-here.js

Versions of serve-here.js prior to 1.2.0 are vulnerable to Path Traversal. The package fails to sanitize URLs, allowing attackers to access server files outside of the served folder using relative paths.

Recommendation

Upgrade to version 1.2.0 or later.

Ссылки

https://github.com/vivaxy/here/pull/17
https://github.com/vivaxy/here/commit/298dbab41344dfb7f95f66b1fa7b5cfb436bd4a2
https://hackerone.com/reports/296254
https://hackerone.com/reports/569966
https://www.npmjs.com/advisories/554

Пакеты

Наименование

serve-here

npm

Затронутые версииВерсия исправления

<= 3.2.0

Отсутствует

Дефекты

CWE-22

Дефекты

CWE-22