Ecosyste.ms: Advisories

An open API service providing security vulnerability metadata for many open source software ecosystems.

Security Advisories: MDE2OlNlY3VyaXR5QWR2aXNvcnlHSFNBLTU0eGotcTU4aC05eDU3

Arbitrary File Write in iobroker.admin

Versions of iobroker.admin prior to 3.6.12 are vulnerable to Path Traversal. The package fails to restrict access to folders outside of the intended folder in the /log/ route, which may allow attackers to include arbitrary files in the system. An attacker would need to be authenticated to perform the attack but the package has authentication disabled by default.

Recommendation

Upgrade to version 3.6.12 or later.

Permalink: https://github.com/advisories/GHSA-54xj-q58h-9x57
JSON: https://advisories.ecosyste.ms/api/v1/advisories/MDE2OlNlY3VyaXR5QWR2aXNvcnlHSFNBLTU0eGotcTU4aC05eDU3
Source: GitHub Advisory Database
Origin: Unspecified
Severity: Critical
Classification: General
Published: over 4 years ago
Updated: almost 2 years ago


CVSS Score: 9.8
CVSS vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

EPSS Percentage: 0.00466
EPSS Percentile: 0.75796

Identifiers: GHSA-54xj-q58h-9x57, CVE-2019-10765
References: Repository: https://github.com/ioBroker/ioBroker.admin
Blast Radius: 5.9

Affected Packages

npm:iobroker.admin
Dependent packages: 3
Dependent repositories: 4
Downloads: 29,039 last month
Affected Version Ranges: < 3.6.12
Fixed in: 3.6.12
All affected versions: 0.2.3, 0.2.4, 0.2.5, 0.3.1, 0.3.2, 0.3.3, 0.3.4, 0.3.5, 0.3.6, 0.3.7, 0.3.8, 0.3.9, 0.3.10, 0.3.11, 0.3.12, 0.3.13, 0.3.14, 0.3.15, 0.3.16, 0.3.17, 0.3.18, 0.3.19, 0.3.20, 0.3.21, 0.3.22, 0.3.23, 0.3.24, 0.3.25, 0.3.26, 0.3.27, 0.4.0, 0.4.1, 0.4.2, 0.4.3, 0.4.4, 0.4.5, 0.4.6, 0.4.7, 0.4.8, 0.5.1, 0.5.2, 0.5.3, 0.5.4, 0.5.5, 0.5.6, 0.5.7, 0.5.8, 0.5.9, 0.5.10, 0.5.11, 0.5.12, 0.5.13, 0.6.0, 0.6.1, 0.6.2, 0.6.3, 0.6.4, 0.6.5, 0.6.6, 0.7.1, 0.7.2, 0.7.3, 0.7.4, 0.7.5, 0.8.0, 0.8.2, 0.8.3, 0.8.4, 0.8.5, 0.8.6, 0.8.7, 1.0.0, 1.0.1, 1.0.2, 1.0.3, 1.1.1, 1.2.0, 1.2.1, 1.2.2, 1.2.3, 1.2.4, 1.2.5, 1.2.6, 1.4.0, 1.5.1, 1.5.2, 1.5.3, 1.6.1, 1.6.2, 1.6.3, 1.6.4, 1.6.5, 1.6.6, 1.6.7, 1.6.8, 1.6.10, 1.6.11, 1.7.0, 1.7.3, 1.7.4, 1.7.5, 1.7.6, 1.8.1, 2.0.0, 2.0.1, 2.0.2, 2.0.4, 2.0.6, 2.0.7, 2.0.9, 3.1.1, 3.1.2, 3.1.3, 3.1.4, 3.1.5, 3.1.6, 3.1.7, 3.1.8, 3.1.10, 3.1.11, 3.1.12, 3.2.0, 3.2.1, 3.2.2, 3.2.3, 3.2.4, 3.3.0, 3.3.1, 3.3.2, 3.3.3, 3.3.5, 3.3.6, 3.3.7, 3.3.8, 3.3.9, 3.4.0, 3.4.1, 3.4.2, 3.4.3, 3.4.4, 3.4.5, 3.4.6, 3.4.7, 3.4.8, 3.4.9, 3.5.0, 3.5.1, 3.5.2, 3.5.3, 3.5.4, 3.5.5, 3.5.6, 3.5.7, 3.5.8, 3.5.9, 3.5.10, 3.6.0, 3.6.2, 3.6.3, 3.6.4, 3.6.5, 3.6.7, 3.6.8, 3.6.9, 3.6.10
All unaffected versions: 3.6.12, 3.7.0, 3.7.1, 3.7.2, 3.7.3, 3.7.4, 3.7.5, 3.7.6, 3.7.7, 3.7.8, 3.7.9, 4.0.0, 4.0.1, 4.0.2, 4.0.3, 4.0.4, 4.0.5, 4.0.6, 4.0.7, 4.0.8, 4.0.9, 4.0.10, 4.1.0, 4.1.1, 4.1.3, 4.1.5, 4.1.6, 4.1.7, 4.1.8, 4.1.9, 4.1.10, 4.1.11, 4.1.12, 4.1.13, 4.2.0, 4.2.1, 4.2.2, 5.0.1, 5.0.2, 5.0.3, 5.0.4, 5.0.5, 5.0.6, 5.0.7, 5.0.8, 5.0.9, 5.0.10, 5.0.11, 5.0.12, 5.0.13, 5.0.14, 5.0.15, 5.0.16, 5.0.17, 5.0.18, 5.0.19, 5.0.20, 5.0.21, 5.0.22, 5.0.24, 5.0.25, 5.0.26, 5.0.27, 5.0.28, 5.0.29, 5.0.30, 5.0.31, 5.0.32, 5.1.0, 5.1.1, 5.1.2, 5.1.3, 5.1.4, 5.1.5, 5.1.6, 5.1.7, 5.1.8, 5.1.9, 5.1.10, 5.1.11, 5.1.12, 5.1.13, 5.1.14, 5.1.15, 5.1.16, 5.1.17, 5.1.18, 5.1.19, 5.1.20, 5.1.21, 5.1.22, 5.1.23, 5.1.24, 5.1.25, 5.1.28, 5.1.29, 5.2.0, 5.2.1, 5.2.2, 5.2.3, 5.3.0, 5.3.1, 5.3.2, 5.3.3, 5.3.4, 5.3.7, 5.3.8, 5.4.0, 5.4.1, 5.4.2, 5.4.3, 5.4.4, 5.4.6, 5.4.7, 5.4.8, 5.4.9, 6.0.0, 6.0.1, 6.0.2, 6.0.3, 6.0.4, 6.0.5, 6.0.6, 6.0.7, 6.0.8, 6.1.0, 6.1.1, 6.1.2, 6.1.4, 6.1.5, 6.1.6, 6.1.7, 6.1.8, 6.1.9, 6.1.10, 6.1.11, 6.1.12, 6.2.0, 6.2.1, 6.2.2, 6.2.3, 6.2.4, 6.2.5, 6.2.6, 6.2.7, 6.2.8, 6.2.9, 6.2.10, 6.2.11, 6.2.12, 6.2.13, 6.2.14, 6.2.15, 6.2.16, 6.2.17, 6.2.18, 6.2.19, 6.2.20, 6.2.21, 6.2.22, 6.2.23, 6.3.1, 6.3.2, 6.3.3, 6.3.4, 6.3.5, 6.3.6, 6.3.7, 6.4.0, 6.4.1, 6.4.2, 6.4.3, 6.4.4, 6.5.0, 6.5.1, 6.5.2, 6.5.3, 6.5.4, 6.5.5, 6.5.6, 6.5.7, 6.5.8, 6.5.9, 6.6.0, 6.6.1, 6.6.3, 6.6.4, 6.6.5, 6.7.0, 6.7.1, 6.7.2, 6.8.0, 6.8.1, 6.8.2, 6.8.3, 6.9.0, 6.9.1, 6.9.2, 6.10.0, 6.10.1, 6.10.2, 6.10.3, 6.10.4, 6.10.5, 6.10.6, 6.10.7, 6.10.8, 6.11.0, 6.12.0, 6.12.1, 6.12.2, 6.12.3, 6.12.4, 6.12.5, 6.12.6, 6.12.7, 6.12.8, 6.12.9, 6.13.1, 6.13.3, 6.13.5, 6.13.6, 6.13.7, 6.13.9, 6.13.11, 6.13.13, 6.13.14, 6.13.15, 6.13.16, 6.13.17, 6.13.18, 6.13.19, 6.13.20, 6.13.21, 6.14.0, 6.14.1, 6.15.0, 6.15.1, 6.15.2, 6.17.0, 6.17.1, 6.17.2, 6.17.3, 6.17.4, 6.17.5, 6.17.6, 6.17.7, 6.17.8, 6.17.10, 6.17.11, 6.17.12, 6.17.13, 6.17.14, 7.0.1, 7.0.2, 7.0.5, 7.0.6, 7.0.7, 7.0.9, 7.0.10, 7.0.11, 7.0.12, 7.0.13, 7.0.16, 7.0.17, 7.0.18, 7.0.19, 7.0.21, 7.0.22, 7.0.23, 7.0.24, 7.0.25, 7.1.0, 7.1.1, 7.1.2, 7.1.3, 7.1.4, 7.1.5, 7.2.0, 7.2.1, 7.2.2, 7.2.3, 7.2.4, 7.2.5, 7.2.6, 7.3.0, 7.3.1, 7.3.2, 7.4.0, 7.4.1, 7.4.2, 7.4.3