Ecosyste.ms: Advisories
An open API service providing security vulnerability metadata for many open source software ecosystems.
Security Advisories: GSA_kwCzR0hTQS04YzkzLTRoY2gteGd4cM4AA1CK
Cloudflare Wrangler directory traversal vulnerability
Impact
The Wrangler command line tool (<[email protected] or <[email protected]) was affected by a directory traversal vulnerability when running a local development server for Pages (wrangler pages dev command). This vulnerability enabled an attacker in the same network as the victim to connect to the local development server and access the victim's files present outside of the directory for the development server.
Patches
Wrangler2: Upgrade to v2.20.1 or higher.
Wrangler3: Upgrade to v3.1.1 or higher.
References
Workers SDK on Github
Wrangler docs
CVE-2023-3348
JSON: https://advisories.ecosyste.ms/api/v1/advisories/GSA_kwCzR0hTQS04YzkzLTRoY2gteGd4cM4AA1CK
Source: GitHub Advisory Database
Origin: Unspecified
Severity: Moderate
Classification: General
Published: 9 months ago
Updated: 6 months ago
CVSS Score: 5.7
CVSS vector: CVSS:3.1/AV:A/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N
Identifiers: GHSA-8c93-4hch-xgxp, CVE-2023-3348
References:
- https://github.com/cloudflare/workers-sdk/security/advisories/GHSA-8c93-4hch-xgxp
- https://github.com/cloudflare/workers-sdk/pull/3498
- https://github.com/cloudflare/workers-sdk/commit/fddffdf0c23d2ca56f2139a2c6bc278052594cba
- https://github.com/cloudflare/workers-sdk/releases/tag/wrangler%403.1.1
- https://nvd.nist.gov/vuln/detail/CVE-2023-3348
- https://developers.cloudflare.com/workers/wrangler/
- https://github.com/cloudflare/workers-sdk
- https://github.com/advisories/GHSA-8c93-4hch-xgxp
Blast Radius: 20.2
Affected Packages
npm:wrangler
Dependent packages: 209Dependent repositories: 3,545
Downloads: 2,356,353 last month
Affected Version Ranges: < 2.20.1
Fixed in: 2.20.1
All affected versions: 0.0.1, 0.0.2, 0.0.3, 0.0.4, 0.0.5, 0.0.6, 0.0.7, 0.0.8, 0.0.10, 0.0.11, 0.0.12, 0.0.13, 0.0.14, 0.0.15, 0.0.16, 0.0.17, 0.0.18, 0.0.19, 0.0.21, 0.0.22, 0.0.23, 0.0.24, 0.0.25, 0.0.26, 0.0.27, 0.0.28, 0.0.29, 0.0.30, 0.0.31, 0.0.32, 0.0.33, 0.0.34, 2.0.0, 2.0.1, 2.0.2, 2.0.3, 2.0.5, 2.0.6, 2.0.7, 2.0.8, 2.0.9, 2.0.11, 2.0.12, 2.0.14, 2.0.15, 2.0.16, 2.0.17, 2.0.18, 2.0.19, 2.0.21, 2.0.22, 2.0.23, 2.0.24, 2.0.25, 2.0.26, 2.0.27, 2.0.28, 2.0.29, 2.1.0, 2.1.1, 2.1.2, 2.1.3, 2.1.4, 2.1.5, 2.1.6, 2.1.7, 2.1.8, 2.1.9, 2.1.10, 2.1.11, 2.1.12, 2.1.13, 2.1.14, 2.1.15, 2.2.0, 2.2.1, 2.2.2, 2.2.3, 2.2.4, 2.3.0, 2.3.1, 2.3.2, 2.4.0, 2.4.1, 2.4.2, 2.4.3, 2.4.4, 2.5.0, 2.6.0, 2.6.1, 2.6.2, 2.7.0, 2.7.1, 2.8.0, 2.8.1, 2.9.0, 2.9.1, 2.10.0, 2.11.0, 2.11.1, 2.12.0, 2.12.1, 2.12.2, 2.12.3, 2.13.0, 2.14.0, 2.15.0, 2.15.1, 2.16.0, 2.17.0, 2.18.0, 2.19.0, 2.20.0
All unaffected versions: 2.20.1, 2.20.2, 2.21.0, 2.21.1, 3.0.0, 3.0.1, 3.1.0, 3.1.1, 3.1.2, 3.2.0, 3.3.0, 3.4.0, 3.5.0, 3.5.1, 3.6.0, 3.7.0, 3.8.0, 3.9.0, 3.9.1, 3.10.0, 3.10.1, 3.11.0, 3.12.0, 3.13.0, 3.13.1, 3.13.2, 3.14.0, 3.15.0, 3.16.0, 3.17.0, 3.17.1, 3.18.0, 3.19.0, 3.20.0, 3.21.0, 3.22.0, 3.22.1, 3.22.2, 3.22.3, 3.22.4, 3.22.5, 3.23.0, 3.24.0, 3.25.0, 3.26.0, 3.27.0, 3.28.0, 3.28.1, 3.28.2, 3.28.3, 3.28.4, 3.29.0, 3.30.0, 3.30.1, 3.31.0, 3.32.0, 3.33.0, 3.34.0, 3.34.1, 3.34.2, 3.35.0, 3.36.0, 3.37.0, 3.38.0, 3.39.0, 3.40.0, 3.41.0, 3.42.0, 3.43.0, 3.44.0, 3.45.0, 3.46.0, 3.47.0, 3.47.1, 3.48.0, 3.49.0, 3.50.0, 3.51.0, 3.51.2, 3.52.0, 3.53.0, 3.53.1