Lucene search

GitHub Advisory DatabaseGHSA-VCXH-QVGR-9FW9

HistoryMay 10, 2023 - 6:30 a.m.

m.static Directory Traversal vulnerability

2023-05-1006:30:27

CWE-22

GitHub Advisory Database

github.com

m.static package vulnerability

directory traversal

input sanitization

requestfile function

software

7.5 High

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

NONE

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N/E:P

0.001 Low

EPSS

Percentile

38.3%

JSON

All versions of the package m.static are vulnerable to Directory Traversal due to improper input sanitization of the path being requested via the requestFile function.

Affected configurations

Vulners

Node

m.static_projectm.staticRange≤2.2.0node.js

CPENameOperatorVersion
m.staticle2.2.0

CPE	Name	Operator	Version
	m.static	le	2.2.0

References

gist.github.com/lirantal/dcb32c11ce87f5aafd2282b90b4dc998

github.com/advisories/GHSA-vcxh-qvgr-9fw9

github.com/ivoputzer/m.static/blob/master/index.js#L19

nvd.nist.gov/vuln/detail/CVE-2023-26126

security.snyk.io/vuln/SNYK-JS-MSTATIC-3244915

7.5 High

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

NONE

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N/E:P

0.001 Low

EPSS

Percentile

38.3%

JSON

Related for GHSA-VCXH-QVGR-9FW9