ID NODEJS:554 Type nodejs Reporter Yasin Soliman Modified 2018-05-08T14:27:01
Description
Overview
Affected versions of serve-here resolve relative file paths, resulting in a directory traversal vulnerability. A malicious actor can use this vulnerability to access files outside of the intended directory root, which may result in the disclosure of private files on the vulnerable system.
Proof of Concept:
curl "http://${SERVER_IP}:${SERVER_PORT}/..%2f..%2fetc/passwd"
{"id": "NODEJS:554", "hash": "160045c6b5767537ce3588575a0093b7", "type": "nodejs", "bulletinFamily": "software", "title": "Directory Traversal", "description": "## Overview\n\nAffected versions of `serve-here` resolve relative file paths, resulting in a directory traversal vulnerability. A malicious actor can use this vulnerability to access files outside of the intended directory root, which may result in the disclosure of private files on the vulnerable system.\n\n\nProof of Concept:\n```\ncurl \"http://${SERVER_IP}:${SERVER_PORT}/..%2f..%2fetc/passwd\"\n```\n\n## Recommendation\n\nThe `serve-here` package has been [deprecated by the author](https://github.com/vivaxy/here/issues/18) and replaced by [@vivaxy/here](https://www.npmjs.com/package/@vivaxy/here)\n\nTo install the replacement package:\n\n`npm i @vivaxy/here`\n\n## References\n\n[Commit #298dbab](https://github.com/vivaxy/here/commit/298dbab41344dfb7f95f66b1fa7b5cfb436bd4a2)\n[HackerOne Report #296254](https://hackerone.com/reports/296254)", "published": "2018-01-12T00:03:03", "modified": "2018-05-08T14:27:01", "cvss": {"score": 7.5, "vector": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N/E:H/RL:O/RC:C/MAV:N/MAC:H"}, "href": "https://www.npmjs.com/advisories/554", "reporter": "Yasin Soliman", "references": [], "cvelist": [], "lastseen": "2018-08-06T14:59:03", "history": [{"bulletin": {"id": "NODEJS:554", "type": "nodejs", "bulletinFamily": "software", "title": "Directory Traversal", "description": "## Overview\n\nThe serve-here module is a small web server that serves files with the\nprocess' working directory acting as the web root.\n\nIt is vulnerable to a directory traversal attack.\n\nThis means that files on the local file system which exist outside of the web\nroot may be disclosed to an attacker. This might include confidential files.\n\nMitigating Factors: If the node process is run as a user with very limited\nfilesystem permissions, there is significantly less risk of exposing\nconfidential/private information.\n\nProof of Concept:\n\n \n \n curl \"http://${SERVER_IP}:${SERVER_PORT}/..%2f..%2fetc/passwd\"\n \n\n## Remediation\n\nWe have created an issue asking the author to publish, but as of right now the\npatched version has not been published to npm.\n\nBecause of this, at the moment the module will need to be updated by npm\ninstalling directly from git:\n\n \n \n npm i git+https://github.com/vivaxy/here.git#298dbab41344dfb7f95f66b1fa7b5cfb436bd4a2\n \n\n## References\n\n<https://github.com/vivaxy/here/commit/298dbab41344dfb7f95f66b1fa7b5cfb436bd4a2>\n<https://hackerone.com/reports/296254>\n\n", "published": "2018-01-12T00:03:03", "modified": "2018-01-12T00:03:03", "cvss": {"score": 7.5, "vector": "NONE"}, "href": "https://nodesecurity.io/advisories/554", "reporter": "Yasin Soliman", "references": [], "cvelist": [], "lastseen": "2018-01-12T04:52:26", "history": [], "viewCount": 39, "enchantments": {"score": {"modified": "2018-01-12T04:52:26", "value": 3.8}}, "objectVersion": "1.4", "affectedSoftware": [{"name": "Node.js serve-here", "operator": "le", "version": "3.2.0"}]}, "lastseen": "2018-01-12T04:52:26", "differentElements": ["affectedSoftware", "description"], "edition": 1}, {"bulletin": {"id": "NODEJS:554", "type": "nodejs", "bulletinFamily": "software", "title": "Directory Traversal", "description": "## Overview\n\nThe serve-here module is a small web server that serves files with the\nprocess' working directory acting as the web root.\n\nIt is vulnerable to a directory traversal attack.\n\nThis means that files on the local file system which exist outside of the web\nroot may be disclosed to an attacker. This might include confidential files.\n\nMitigating Factors: If the node process is run as a user with very limited\nfilesystem permissions, there is significantly less risk of exposing\nconfidential/private information.\n\nProof of Concept:\n\n \n \n curl \"http://${SERVER_IP}:${SERVER_PORT}/..%2f..%2fetc/passwd\"\n \n\n## Remediation\n\nserve-here has been [deprecated by the\nauthor](https://github.com/vivaxy/here/issues/18) and replaced by\n[@vivaxy/here](https://www.npmjs.com/package/@vivaxy/here)\n\nrun `npm i @vivaxy/here` to install the new module.\n\n## References\n\n * <https://github.com/vivaxy/here/commit/298dbab41344dfb7f95f66b1fa7b5cfb436bd4a2>\n * <https://hackerone.com/reports/296254>\n\n", "published": "2018-01-12T00:03:03", "modified": "2018-01-12T00:03:03", "cvss": {"score": 7.5, "vector": "NONE"}, "href": "https://nodesecurity.io/advisories/554", "reporter": "Yasin Soliman", "references": [], "cvelist": [], "lastseen": "2018-01-15T08:52:43", "history": [], "viewCount": 39, "enchantments": {"score": {"value": 5.0, "vector": "NONE"}}, "objectVersion": "1.4", "affectedSoftware": [{"name": "Node.js serve-here", "operator": "le", "version": "All"}]}, "lastseen": "2018-01-15T08:52:43", "differentElements": ["description"], "edition": 2}, {"bulletin": {"id": "NODEJS:554", "type": "nodejs", "bulletinFamily": "software", "title": "Directory Traversal", "description": "## Overview\n\nAffected versions of `serve-here` resolve relative file paths, resulting in a\ndirectory traversal vulnerability. A malicious actor can use this\nvulnerability to access files outside of the intended directory root, which\nmay result in the disclosure of private files on the vulnerable system.\n\nProof of Concept:\n\n \n \n curl \"http://${SERVER_IP}:${SERVER_PORT}/..%2f..%2fetc/passwd\"\n \n\n## Remediation\n\nThe `serve-here` package has been [deprecated by the\nauthor](https://github.com/vivaxy/here/issues/18) and replaced by\n[@vivaxy/here](https://www.npmjs.com/package/@vivaxy/here)\n\nTo install the replacement package:\n\n`npm i @vivaxy/here`\n\n## References\n\n[Commit\n#298dbab](https://github.com/vivaxy/here/commit/298dbab41344dfb7f95f66b1fa7b5cfb436bd4a2)\n[HackerOne Report #296254](https://hackerone.com/reports/296254)\n\n", "published": "2018-01-12T00:03:03", "modified": "2018-01-12T00:03:03", "cvss": {"score": 7.5, "vector": "NONE"}, "href": "https://nodesecurity.io/advisories/554", "reporter": "Yasin Soliman", "references": [], "cvelist": [], "lastseen": "2018-05-07T21:54:45", "history": [], "viewCount": 39, "enchantments": {"score": {"value": 5.0, "vector": "NONE"}}, "objectVersion": "1.4", "affectedSoftware": [{"name": "Node.js serve-here", "operator": "le", "version": "All"}]}, "lastseen": "2018-05-07T21:54:45", "differentElements": ["description"], "edition": 3}, {"bulletin": {"id": "NODEJS:554", "type": "nodejs", "bulletinFamily": "software", "title": "Directory Traversal", "description": "## Overview\n\nThe serve-here module is a small web server that serves files with the\nprocess' working directory acting as the web root.\n\nIt is vulnerable to a directory traversal attack.\n\nThis means that files on the local file system which exist outside of the web\nroot may be disclosed to an attacker. This might include confidential files.\n\nMitigating Factors: If the node process is run as a user with very limited\nfilesystem permissions, there is significantly less risk of exposing\nconfidential/private information.\n\nProof of Concept:\n\n \n \n curl \"http://${SERVER_IP}:${SERVER_PORT}/..%2f..%2fetc/passwd\"\n \n\n## Remediation\n\nserve-here has been [deprecated by the\nauthor](https://github.com/vivaxy/here/issues/18) and replaced by\n[@vivaxy/here](https://www.npmjs.com/package/@vivaxy/here)\n\nrun `npm i @vivaxy/here` to install the new module.\n\n## References\n\n * <https://github.com/vivaxy/here/commit/298dbab41344dfb7f95f66b1fa7b5cfb436bd4a2>\n * <https://hackerone.com/reports/296254>\n\n", "published": "2018-01-12T00:03:03", "modified": "2018-01-12T00:03:03", "cvss": {"score": 7.5, "vector": "NONE"}, "href": "https://nodesecurity.io/advisories/554", "reporter": "Yasin Soliman", "references": [], "cvelist": [], "lastseen": "2018-05-08T03:55:51", "history": [], "viewCount": 39, "enchantments": {"score": {"value": 5.0, "vector": "NONE"}}, "objectVersion": "1.4", "affectedSoftware": [{"name": "Node.js serve-here", "operator": "le", "version": "All"}]}, "lastseen": "2018-05-08T03:55:51", "differentElements": ["description"], "edition": 4}, {"bulletin": {"id": "NODEJS:554", "type": "nodejs", "bulletinFamily": "software", "title": "Directory Traversal", "description": "## Overview\n\nAffected versions of `serve-here` resolve relative file paths, resulting in a\ndirectory traversal vulnerability. A malicious actor can use this\nvulnerability to access files outside of the intended directory root, which\nmay result in the disclosure of private files on the vulnerable system.\n\nProof of Concept:\n\n \n \n curl \"http://${SERVER_IP}:${SERVER_PORT}/..%2f..%2fetc/passwd\"\n \n\n## Remediation\n\nThe `serve-here` package has been [deprecated by the\nauthor](https://github.com/vivaxy/here/issues/18) and replaced by\n[@vivaxy/here](https://www.npmjs.com/package/@vivaxy/here)\n\nTo install the replacement package:\n\n`npm i @vivaxy/here`\n\n## References\n\n[Commit\n#298dbab](https://github.com/vivaxy/here/commit/298dbab41344dfb7f95f66b1fa7b5cfb436bd4a2)\n[HackerOne Report #296254](https://hackerone.com/reports/296254)\n\n", "published": "2018-01-12T00:03:03", "modified": "2018-01-12T00:03:03", "cvss": {"score": 7.5, "vector": "NONE"}, "href": "https://nodesecurity.io/advisories/554", "reporter": "Yasin Soliman", "references": [], "cvelist": [], "lastseen": "2018-05-08T17:57:11", "history": [], "viewCount": 39, "enchantments": {"score": {"value": 5.0, "vector": "NONE"}}, "objectVersion": "1.4", "affectedSoftware": [{"name": "Node.js serve-here", "operator": "le", "version": "All"}]}, "lastseen": "2018-05-08T17:57:11", "differentElements": ["affectedSoftware", "cvss", "description", "href", "modified"], "edition": 5}], "viewCount": 43, "enchantments": {"score": {"value": 5.0, "vector": "NONE"}, "vulnersScore": 5.0}, "objectVersion": "1.4", "affectedSoftware": [{"name": "serve-here", "operator": "le", "version": "99.999.99999"}], "_object_type": "robots.models.nodejs.NodeJsBulletin", "_object_types": ["robots.models.nodejs.NodeJsBulletin", "robots.models.base.Bulletin"]}
