CVE-2020-5284

Опубликовано: 30 мар. 2020

Источник: nvd

CVSS3: 4.4

CVSS3: 4.3

CVSS2: 5

EPSS Высокий

Описание

Next.js versions before 9.3.2 have a directory traversal vulnerability. Attackers could craft special requests to access files in the dist directory (.next). This does not affect files outside of the dist directory (.next). In general, the dist directory only holds build assets unless your application intentionally stores other assets under this directory. This issue is fixed in version 9.3.2.

Ссылки

https://github.com/zeit/next.js/releases/tag/v9.3.2
Release Notes
https://github.com/zeit/next.js/security/advisories/GHSA-fq77-7p7r-83rj
Third Party Advisory
https://github.com/zeit/next.js/releases/tag/v9.3.2
Release Notes
https://github.com/zeit/next.js/security/advisories/GHSA-fq77-7p7r-83rj
Third Party Advisory

Уязвимые конфигурации

Конфигурация 1

cpe:2.3:a:zeit:next.js:*:*:*:*:*:*:*:*

Версия до 9.3.2 (исключая)

EPSS

Процентиль: 99%

0.77318

Высокий

4.4 Medium

CVSS3

4.3 Medium

CVSS3

5 Medium

CVSS2

Дефекты

CWE-23

CWE-22

Связанные уязвимости

GHSA-fq77-7p7r-83rj

CVSS3: 4.4

github

около 5 лет назад

Directory Traversal in Next.js

EPSS

Процентиль: 99%

0.77318

Высокий

4.4 Medium

CVSS3

4.3 Medium

CVSS3

5 Medium

CVSS2

Дефекты

CWE-23

CWE-22