Lucene search

GitHub Advisory DatabaseGHSA-R4R9-MGJC-G6Q3

HistorySep 01, 2020 - 7:06 p.m.

Path Traversal in 626

2020-09-0119:06:15

CWE-22

GitHub Advisory Database

github.com

path traversal

vulnerable software

remote attack

CVSS2

Attack Vector

NETWORK

Attack Complexity

LOW

Authentication

NONE

Confidentiality Impact

PARTIAL

Integrity Impact

NONE

Availability Impact

NONE

AV:N/AC:L/Au:N/C:P/I:N/A:N

CVSS3

7.5

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

NONE

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

EPSS

0.004

Percentile

75.2%

JSON

All versions of 626 are vulnerable to path traversal. This enables a remote attacker to read arbitrary files from the remote server using this module.

Recommendation

No fix is currently available for this vulnerability.
It is our recommendation to not install or use this module at this time.

Affected configurations

Vulners

Node

626_project626Range0.0.0≥node.js

VendorProductVersionCPE
626_project626*cpe:2.3:a:626_project:626:*:*:*:*:*:node.js:*:*

Vendor	Product	Version	CPE
626_project	626	*	cpe:2.3:a:626_project:626::::::node.js::*

References

github.com/advisories/GHSA-r4r9-mgjc-g6q3

hackerone.com/reports/311216

nvd.nist.gov/vuln/detail/CVE-2018-3727

CVSS2

Attack Vector

NETWORK

Attack Complexity

LOW

Authentication

NONE

Confidentiality Impact

PARTIAL

Integrity Impact

NONE

Availability Impact

NONE

AV:N/AC:L/Au:N/C:P/I:N/A:N

CVSS3

7.5

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

NONE

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

EPSS

0.004

Percentile

75.2%

JSON

Related for GHSA-R4R9-MGJC-G6Q3