Ecosyste.ms: Advisories

An open API service providing security vulnerability metadata for many open source software ecosystems.

Security Advisories: MDE2OlNlY3VyaXR5QWR2aXNvcnlHSFNBLTQ2aHYtNzc2OS1qN3J4

Unauthorized File Access in harp

Affected versions of harp are vulnerable to Unauthorized File Access. The package states that it ignores files and directories with names that start with an underscore, such as _secret-folder. If the underscore character is URL encoded the server delivers the file.

Recommendation

Upgrade to version 0.40.2 or later.

Permalink: https://github.com/advisories/GHSA-46hv-7769-j7rx
JSON: https://advisories.ecosyste.ms/api/v1/advisories/MDE2OlNlY3VyaXR5QWR2aXNvcnlHSFNBLTQ2aHYtNzc2OS1qN3J4
Source: GitHub Advisory Database
Origin: Unspecified
Severity: Moderate
Classification: General
Published: over 5 years ago
Updated: about 1 year ago


CVSS Score: 5.3
CVSS vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N

EPSS Percentage: 0.00126
EPSS Percentile: 0.48508

Identifiers: GHSA-46hv-7769-j7rx, CVE-2019-5437
References: Repository: https://github.com/sintaxi/harp
Blast Radius: 16.1

Affected Packages

npm:harp
Dependent packages: 82
Dependent repositories: 1,109
Downloads: 1,860 last month
Affected Version Ranges: < 0.40.2
Fixed in: 0.40.2
All affected versions: 0.1.0, 0.2.0, 0.2.1, 0.2.2, 0.2.3, 0.2.4, 0.2.5, 0.2.6, 0.3.0, 0.3.1, 0.3.2, 0.3.3, 0.3.4, 0.3.5, 0.3.6, 0.4.0, 0.4.1, 0.4.2, 0.4.3, 0.4.4, 0.4.5, 0.5.0, 0.5.1, 0.5.2, 0.5.3, 0.5.4, 0.5.5, 0.5.6, 0.6.0, 0.6.1, 0.6.2, 0.7.0, 0.7.1, 0.7.2, 0.7.3, 0.7.4, 0.7.5, 0.7.6, 0.7.7, 0.7.8, 0.7.9, 0.7.10, 0.8.0, 0.8.1, 0.8.2, 0.8.3, 0.8.4, 0.8.5, 0.8.6, 0.8.7, 0.8.8, 0.8.9, 0.8.10, 0.8.11, 0.8.12, 0.8.13, 0.9.0, 0.9.1, 0.9.2, 0.9.3, 0.9.4, 0.9.5, 0.10.0, 0.10.1, 0.11.0, 0.11.1, 0.11.2, 0.12.0, 0.12.1, 0.13.0, 0.14.0, 0.15.0, 0.15.1, 0.15.2, 0.16.0, 0.17.0, 0.18.0, 0.19.0, 0.20.0, 0.20.1, 0.20.2, 0.20.3, 0.21.0, 0.22.0, 0.23.0, 0.24.0, 0.24.1, 0.25.0, 0.26.0, 0.27.0, 0.28.0, 0.28.1, 0.29.0, 0.30.0, 0.30.1, 0.31.0, 0.32.0, 0.33.0, 0.34.0, 0.40.0, 0.40.1
All unaffected versions: 0.40.2, 0.40.3, 0.41.0, 0.41.2, 0.42.0, 0.43.0, 0.44.0, 0.45.0, 0.46.0, 0.46.1