CVE-2020-15779

Опубликовано: 15 июл. 2020

Источник: nvd

CVSS3: 7.5

CVSS2: 5

EPSS Низкий

Описание

A Path Traversal issue was discovered in the socket.io-file package through 2.0.31 for Node.js. The socket.io-file::createFile message uses path.join with ../ in the name option, and the uploadDir and rename options determine the path.

Ссылки

https://github.com/advisories/GHSA-9h4g-27m8-qjrg
Third Party Advisory
https://github.com/rico345100/socket.io-file
Third Party Advisory
https://www.npmjs.com/advisories/1519
Exploit
Third Party Advisory
https://www.npmjs.com/package/socket.io-file
Product
Third Party Advisory
https://github.com/advisories/GHSA-9h4g-27m8-qjrg
Third Party Advisory
https://github.com/rico345100/socket.io-file
Third Party Advisory
https://www.npmjs.com/advisories/1519
Exploit
Third Party Advisory
https://www.npmjs.com/package/socket.io-file
Product
Third Party Advisory

Уязвимые конфигурации

Конфигурация 1

cpe:2.3:a:socket.io-file_project:socket.io-file:*:*:*:*:*:node.js:*:*

Версия до 2.0.31 (включая)

EPSS

Процентиль: 64%

0.0046

Низкий

7.5 High

CVSS3

5 Medium

CVSS2

Дефекты

CWE-22

Связанные уязвимости

GHSA-9h4g-27m8-qjrg