CVE-2023-26111

2023-03-0605:15:12

CWE-22

snyk

web.nvd.nist.gov

nubosoftware

node-static

directory traversal

cve-2023-26111

nvd

security vulnerability

CVSS3

7.5

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

NONE

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

EPSS

0.001

Percentile

46.4%

JSON

All versions of the package @nubosoftware/node-static; all versions of the package node-static are vulnerable to Directory Traversal due to improper file path sanitization in the startsWith() method in the servePath function.

Affected configurations

Nvd

Node

\@nubosoftware\/node-static_project\@nubosoftware\/node-staticMatch-node.js

node-static_projectnode-staticMatch-node.js

VendorProductVersionCPE
\@nubosoftware\/node-static_project\@nubosoftware\/node-static-cpe:2.3:a:\@nubosoftware\/node-static_project:\@nubosoftware\/node-static:-:*:*:*:*:node.js:*:*
node-static_projectnode-static-cpe:2.3:a:node-static_project:node-static:-:*:*:*:*:node.js:*:*

Vendor	Product	Version	CPE
\@nubosoftware\/node-static_project	\@nubosoftware\/node-static	-	cpe:2.3:a:\@nubosoftware\/node-static_project:\@nubosoftware\/node-static:-:::::node.js::
node-static_project	node-static	-	cpe:2.3:a:node-static_project:node-static:-:::::node.js::

CNA Affected

[
  {
    "product": "@nubosoftware/node-static",
    "versions": [
      {
        "version": "0",
        "lessThan": "*",
        "status": "affected",
        "versionType": "semver"
      }
    ],
    "vendor": "n/a"
  },
  {
    "product": "node-static",
    "versions": [
      {
        "version": "0",
        "lessThan": "*",
        "status": "affected",
        "versionType": "semver"
      }
    ],
    "vendor": "n/a"
  }
]