Lucene search

GitHub Advisory DatabaseGHSA-J27J-4W6M-8FC4

HistoryMar 31, 2020 - 5:02 p.m.

Path Traversal in statics-server

2020-03-3117:02:12

CWE-22

GitHub Advisory Database

github.com

CVSS2

Attack Vector

NETWORK

Attack Complexity

LOW

Authentication

NONE

Confidentiality Impact

PARTIAL

Integrity Impact

NONE

Availability Impact

NONE

AV:N/AC:L/Au:N/C:P/I:N/A:N

CVSS3

7.5

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

NONE

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

EPSS

0.004

Percentile

75.2%

JSON

All versions of statics-server are vulnerable to Path Traversal. The package fails to limit access to files outside of the served folder through symlinks.

Recommendation

No fix is currently available. Do not use statics-server in production or consider using an alternative module until a fix is made available.

Affected configurations

Vulners

Node

staticsserverRange≤0.0.9

VendorProductVersionCPE
staticsserver*cpe:2.3:a:statics:server:*:*:*:*:*:*:*:*

Vendor	Product	Version	CPE
statics	server	*	cpe:2.3:a:statics:server::::::::

References

github.com/advisories/GHSA-j27j-4w6m-8fc4

hackerone.com/reports/695416

nvd.nist.gov/vuln/detail/CVE-2019-15596

www.npmjs.com/advisories/1303

CVSS2

Attack Vector

NETWORK

Attack Complexity

LOW

Authentication

NONE

Confidentiality Impact

PARTIAL

Integrity Impact

NONE

Availability Impact

NONE

AV:N/AC:L/Au:N/C:P/I:N/A:N

CVSS3

7.5

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

NONE

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

EPSS

0.004

Percentile

75.2%

JSON

Related for GHSA-J27J-4W6M-8FC4