Ecosyste.ms: Advisories
An open API service providing security vulnerability metadata for many open source software ecosystems.
Security Advisories: MDE2OlNlY3VyaXR5QWR2aXNvcnlHSFNBLTR3Y2gtZndteC1jZjQ3
Directory Traversal in augustine
Affected versions of augustine resolve relative file paths, resulting in a directory traversal vulnerability. A malicious actor can use this vulnerability to access files outside of the intended directory root, which may result in the disclosure of private files on the vulnerable system.
Proof of Concept
GET //etc/passwd HTTP/1.1
host:foo
Recommendation
No direct patch is available at this time.
Currently, the best mitigation for this flaw is to use a different, functionally equivalent static file server package.
Permalink: https://github.com/advisories/GHSA-4wch-fwmx-cf47JSON: https://advisories.ecosyste.ms/api/v1/advisories/MDE2OlNlY3VyaXR5QWR2aXNvcnlHSFNBLTR3Y2gtZndteC1jZjQ3
Source: GitHub Advisory Database
Origin: Unspecified
Severity: Moderate
Classification: General
Published: about 6 years ago
Updated: about 1 year ago
CVSS Score: 6.5
CVSS vector: CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N
Identifiers: GHSA-4wch-fwmx-cf47, CVE-2017-0930
References:
- https://nvd.nist.gov/vuln/detail/CVE-2017-0930
- https://hackerone.com/reports/296282
- https://github.com/advisories/GHSA-4wch-fwmx-cf47
- https://www.npmjs.com/advisories/559
Affected Packages
npm:augustine
Dependent packages: 2Dependent repositories: 1
Downloads: 22 last month
Affected Version Ranges: <= 0.2.3
No known fixed version
All affected versions: 0.1.0, 0.1.2, 0.1.12, 0.1.13, 0.1.14, 0.1.15, 0.1.16, 0.1.17, 0.1.18, 0.1.19, 0.2.0, 0.2.1, 0.2.2, 0.2.3