Ecosyste.ms: Advisories
An open API service providing security vulnerability metadata for many open source software ecosystems.
Security Advisories: MDE2OlNlY3VyaXR5QWR2aXNvcnlHSFNBLTQ2aHYtNzc2OS1qN3J4
Unauthorized File Access in harp
Affected versions of harp
are vulnerable to Unauthorized File Access. The package states that it ignores files and directories with names that start with an underscore, such as _secret-folder
. If the underscore character is URL encoded the server delivers the file.
Recommendation
Upgrade to version 0.40.2
or later.
JSON: https://advisories.ecosyste.ms/api/v1/advisories/MDE2OlNlY3VyaXR5QWR2aXNvcnlHSFNBLTQ2aHYtNzc2OS1qN3J4
Source: GitHub Advisory Database
Origin: Unspecified
Severity: Moderate
Classification: General
Published: over 5 years ago
Updated: about 1 year ago
CVSS Score: 5.3
CVSS vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
EPSS Percentage: 0.00126
EPSS Percentile: 0.48508
Identifiers: GHSA-46hv-7769-j7rx, CVE-2019-5437
References:
- https://nvd.nist.gov/vuln/detail/CVE-2019-5437
- https://hackerone.com/reports/453820
- https://www.npmjs.com/advisories/807
- https://github.com/sintaxi/harp/commit/1ec790baeeb2bfdb4584f1998af3d10a8fa31210
- https://github.com/advisories/GHSA-46hv-7769-j7rx
Blast Radius: 16.1
Affected Packages
npm:harp
Dependent packages: 82Dependent repositories: 1,109
Downloads: 1,860 last month
Affected Version Ranges: < 0.40.2
Fixed in: 0.40.2
All affected versions: 0.1.0, 0.2.0, 0.2.1, 0.2.2, 0.2.3, 0.2.4, 0.2.5, 0.2.6, 0.3.0, 0.3.1, 0.3.2, 0.3.3, 0.3.4, 0.3.5, 0.3.6, 0.4.0, 0.4.1, 0.4.2, 0.4.3, 0.4.4, 0.4.5, 0.5.0, 0.5.1, 0.5.2, 0.5.3, 0.5.4, 0.5.5, 0.5.6, 0.6.0, 0.6.1, 0.6.2, 0.7.0, 0.7.1, 0.7.2, 0.7.3, 0.7.4, 0.7.5, 0.7.6, 0.7.7, 0.7.8, 0.7.9, 0.7.10, 0.8.0, 0.8.1, 0.8.2, 0.8.3, 0.8.4, 0.8.5, 0.8.6, 0.8.7, 0.8.8, 0.8.9, 0.8.10, 0.8.11, 0.8.12, 0.8.13, 0.9.0, 0.9.1, 0.9.2, 0.9.3, 0.9.4, 0.9.5, 0.10.0, 0.10.1, 0.11.0, 0.11.1, 0.11.2, 0.12.0, 0.12.1, 0.13.0, 0.14.0, 0.15.0, 0.15.1, 0.15.2, 0.16.0, 0.17.0, 0.18.0, 0.19.0, 0.20.0, 0.20.1, 0.20.2, 0.20.3, 0.21.0, 0.22.0, 0.23.0, 0.24.0, 0.24.1, 0.25.0, 0.26.0, 0.27.0, 0.28.0, 0.28.1, 0.29.0, 0.30.0, 0.30.1, 0.31.0, 0.32.0, 0.33.0, 0.34.0, 0.40.0, 0.40.1
All unaffected versions: 0.40.2, 0.40.3, 0.41.0, 0.41.2, 0.42.0, 0.43.0, 0.44.0, 0.45.0, 0.46.0, 0.46.1