Lucene search

GitHub Advisory DatabaseGHSA-5G97-WHC9-8G7J

HistoryMar 06, 2023 - 6:30 a.m.

node-static and @nubosoftware/node-static vulnerable to Directory Traversal

2023-03-0606:30:18

CWE-22

GitHub Advisory Database

github.com

node-static

@nubosoftware/node-static

directory traversal

file path sanitation

CVSS3

7.5

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

NONE

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

EPSS

0.001

Percentile

46.4%

JSON

node-static and the fork @nubosoftware/node-static are vulnerable to Directory Traversal due to improper file path sanitization in the startsWith() method in the servePath function.

Affected configurations

Vulners

Node

nubosoftwarenode-staticRange≤0.7.11

nodestaticRange≤0.7.11

VendorProductVersionCPE
nubosoftwarenode-static*cpe:2.3:a:nubosoftware:node-static:*:*:*:*:*:*:*:*
nodestatic*cpe:2.3:a:node:static:*:*:*:*:*:*:*:*

Vendor	Product	Version	CPE
nubosoftware	node-static	*	cpe:2.3:a:nubosoftware:node-static::::::::
node	static	*	cpe:2.3:a:node:static::::::::

References

gist.github.com/lirantal/c80b28e7bee148dc287339cb483e42bc

github.com/advisories/GHSA-5g97-whc9-8g7j

github.com/cloudhead/node-static/blob/master/lib/node-static.js#23L160-L163

nvd.nist.gov/vuln/detail/CVE-2023-26111

security.snyk.io/vuln/SNYK-JS-NODESTATIC-3149928

security.snyk.io/vuln/SNYK-JS-NUBOSOFTWARENODESTATIC-3149927

CVSS3

7.5

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

NONE

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

EPSS

0.001

Percentile

46.4%

JSON

Related for GHSA-5G97-WHC9-8G7J