Data

Tools

Indexes

Applications

Experiments

Advisories

An open API service providing security vulnerability metadata for many open source software ecosystems.

MDE2OlNlY3VyaXR5QWR2aXNvcnlHSFNBLTY5cnItd3ZoOS02YzRx

High EPSS: 0.5516% (0.97902 Percentile) EPSS:
Permalink JSON

Directory Traversal in st

Affected Packages Affected Versions Fixed Versions
npm:st
PURL: pkg:npm/st
< 0.2.5 0.2.5
501 Dependent packages
62,960 Dependent repositories
796,978 Downloads last month

Affected Version Ranges

All affected versions

0.0.1, 0.0.2, 0.0.3, 0.0.4, 0.0.5, 0.0.6, 0.0.7, 0.0.8, 0.0.9, 0.0.10, 0.0.11, 0.0.12, 0.1.0, 0.1.1, 0.1.2, 0.1.3, 0.1.4, 0.2.0, 0.2.1, 0.2.2, 0.2.3, 0.2.4

All unaffected versions

0.2.5, 0.2.6, 0.3.0, 0.3.1, 0.3.2, 0.4.0, 0.4.1, 0.5.0, 0.5.1, 0.5.2, 0.5.3, 0.5.4, 0.5.5, 1.0.0, 1.1.0, 1.2.0, 1.2.1, 1.2.2, 2.0.0, 3.0.0, 3.0.1, 3.0.2, 3.0.3

Versions of st prior to 0.2.5 are affected by a directory traversal vulnerability. Vulnerable versions fail to properly handle URL encoded dots, which caused %2e to be interpreted as . by the filesystem, resulting the potential for an attacker to read sensitive files on the server.

Recommendation

Update to version 0.2.5 or later.

References:

Identifiers

GHSA-69rr-wvh9-6c4q

CVE-2014-3744

Risk

Severity

High

EPSS

EPSS Percentage: 0.5516

EPSS Percentile: 0.97902

Classification

General

Source

GitHub Advisory Database

Origin

Unspecified

Repository

https://github.com/isaacs/st

Date and time

Published

about 5 years ago

Updated

almost 3 years ago

API

JSON