GHSA-p72p-rjr2-r439

Опубликовано: 29 мая 2019

Источник: github

Github: Прошло ревью

Описание

Server-Side Request Forgery in terriajs-server

Versions of terriajs-serverprior to 2.7.4 are vulnerable to Server-Side Request Forgery (SSRF). If an attacker has access to a server whitelisted by the terriajs-server proxy or if the attacker is able to modify the DNS records of a domain whitelisted by the terriajs-server proxy, the attacker can use the terriajs-server proxy to access any HTTP-accessible resources that are accessible to the server, including private resources in the hosting environment.

Recommendation

Upgrade to version 2.7.4 or later.

Ссылки

https://github.com/TerriaJS/terriajs-server/commit/3cbc48475f50a53962f605491d0e60648a29bdf0
https://medium.com/terria/security-vulnerability-in-terriajs-server-82c8bf4da0a5
https://www.npmjs.com/advisories/768

Пакеты

Наименование

terriajs-server

npm

Затронутые версииВерсия исправления

< 2.7.4

2.7.4

Дефекты

CWE-918

Дефекты

CWE-918