Ecosyste.ms: Advisories
An open API service providing security vulnerability metadata for many open source software ecosystems.
Security Advisories: GSA_kwCzR0hTQS1xMzI0LXE3OTUtMnE1cM0WfA
Path traversal when using `preview-docs` when working dir contains files with question mark `?` in name
Impact
preview-docs command allows path traversal if current working dir contains files with question mark ? in name and attacker knows the name.
Patches
It was patched starting from 1.0.0-beta.59
Workarounds
Do not run openapi-cli preview-docs command in the folder which contains files with question mark ? in name.
References
https://github.com/Redocly/openapi-cli/pull/347
For more information
If you have any questions or comments about this advisory:
- Open an issue in @redocly/openapi-cli
- Email us at [email protected]
JSON: https://advisories.ecosyste.ms/api/v1/advisories/GSA_kwCzR0hTQS1xMzI0LXE3OTUtMnE1cM0WfA
Source: GitHub Advisory Database
Origin: Unspecified
Severity: Low
Classification: General
Published: over 2 years ago
Updated: over 1 year ago
Identifiers: GHSA-q324-q795-2q5p
References:
- https://github.com/Redocly/openapi-cli/security/advisories/GHSA-q324-q795-2q5p
- https://github.com/Redocly/openapi-cli/pull/347
- https://github.com/advisories/GHSA-q324-q795-2q5p
Blast Radius: 0.0
Affected Packages
npm:@redocly/openapi-cli
Dependent packages: 31Dependent repositories: 508
Downloads: 184,143 last month
Affected Version Ranges: <= 1.0.0-beta.58
Fixed in: 1.0.0-beta.59
All affected versions: 0.2.3, 0.2.4, 0.2.5, 0.2.6, 0.2.7, 0.2.8, 0.2.9, 0.2.10, 0.2.11, 0.2.12, 0.2.13, 0.2.14, 0.2.15, 0.2.16, 0.3.0, 0.3.1, 0.4.0, 0.4.1, 0.5.0, 0.6.0, 0.7.0, 0.8.0, 0.8.1, 0.8.2, 0.8.3, 0.8.4, 0.9.0, 0.9.1, 0.10.0, 0.11.0, 0.12.0, 0.12.1, 0.12.2, 0.12.3, 0.12.4, 0.12.5, 0.12.6, 0.12.7, 0.12.8, 0.12.9, 0.12.10, 0.12.11, 0.12.12, 0.12.13, 0.12.14, 0.12.15, 0.12.16, 1.0.0-alpha.1, 1.0.0-alpha.2, 1.0.0-alpha.3, 1.0.0-alpha.4, 1.0.0-alpha.5, 1.0.0-alpha.6, 1.0.0-alpha.7, 1.0.0-alpha.8, 1.0.0-alpha.9, 1.0.0-alpha.10, 1.0.0-alpha.11, 1.0.0-alpha.13, 1.0.0-alpha.14, 1.0.0-beta.1, 1.0.0-beta.2, 1.0.0-beta.3, 1.0.0-beta.4, 1.0.0-beta.5, 1.0.0-beta.6, 1.0.0-beta.7, 1.0.0-beta.8, 1.0.0-beta.9, 1.0.0-beta.10, 1.0.0-beta.11, 1.0.0-beta.12, 1.0.0-beta.13, 1.0.0-beta.14, 1.0.0-beta.15, 1.0.0-beta.16, 1.0.0-beta.17, 1.0.0-beta.18, 1.0.0-beta.19, 1.0.0-beta.20, 1.0.0-beta.21, 1.0.0-beta.22, 1.0.0-beta.23, 1.0.0-beta.24, 1.0.0-beta.25, 1.0.0-beta.26, 1.0.0-beta.27, 1.0.0-beta.28, 1.0.0-beta.29, 1.0.0-beta.30, 1.0.0-beta.31, 1.0.0-beta.32, 1.0.0-beta.33, 1.0.0-beta.34, 1.0.0-beta.35, 1.0.0-beta.36, 1.0.0-beta.37, 1.0.0-beta.38, 1.0.0-beta.39, 1.0.0-beta.40, 1.0.0-beta.41, 1.0.0-beta.42, 1.0.0-beta.43, 1.0.0-beta.44, 1.0.0-beta.45, 1.0.0-beta.46, 1.0.0-beta.47, 1.0.0-beta.48, 1.0.0-beta.49, 1.0.0-beta.50, 1.0.0-beta.51, 1.0.0-beta.52, 1.0.0-beta.53, 1.0.0-beta.54, 1.0.0-beta.55, 1.0.0-beta.56, 1.0.0-beta.57, 1.0.0-beta.58
All unaffected versions: