Lucene search

GitHub Advisory DatabaseGHSA-4448-RC82-FCR7

HistorySep 22, 2021 - 6:40 p.m.

Path Traversal in serve-here.js

2021-09-2218:40:57

CWE-22

GitHub Advisory Database

github.com

serve-here.js

path traversal

vulnerable version

access to files

CVSS2

Attack Vector

NETWORK

Attack Complexity

LOW

Authentication

NONE

Confidentiality Impact

PARTIAL

Integrity Impact

NONE

Availability Impact

NONE

AV:N/AC:L/Au:N/C:P/I:N/A:N

CVSS3

5.3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

LOW

Integrity Impact

NONE

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N

EPSS

0.001

Percentile

48.3%

JSON

Versions of serve-here.js prior to 1.2.0 are vulnerable to path traversal. The package fails to sanitize URLs, allowing attackers to access server files outside of the served folder using relative paths.

Affected configurations

Vulners

Node

serve-here.js_projectserve-here.jsRange<1.2.0node.js

VendorProductVersionCPE
serve-here.js_projectserve-here.js*cpe:2.3:a:serve-here.js_project:serve-here.js:*:*:*:*:*:node.js:*:*

Vendor	Product	Version	CPE
serve-here.js_project	serve-here.js	*	cpe:2.3:a:serve-here.js_project:serve-here.js::::::node.js::*

References

github.com/advisories/GHSA-4448-rc82-fcr7

hackerone.com/reports/569966

nvd.nist.gov/vuln/detail/CVE-2019-5444

www.npmjs.com/advisories/1019

CVSS2

Attack Vector

NETWORK

Attack Complexity

LOW

Authentication

NONE

Confidentiality Impact

PARTIAL

Integrity Impact

NONE

Availability Impact

NONE

AV:N/AC:L/Au:N/C:P/I:N/A:N

CVSS3

5.3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

LOW

Integrity Impact

NONE

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N

EPSS

0.001

Percentile

48.3%

JSON

Related for GHSA-4448-RC82-FCR7