Ecosyste.ms: Advisories
An open API service providing security vulnerability metadata for many open source software ecosystems.
Security Advisories: MDE2OlNlY3VyaXR5QWR2aXNvcnlHSFNBLXEycWgtY2djMi1xaHIz
Directory Traversal in serve
Affected versions of serve do not properly handle %2e (.) and %2f (/) characters, and allow the, characters to be used in paths. This can be used to traverse the directory tree and list content of any directory the user running the process has access to.
Mitigating factors:
This vulnerability only allows listing of directory contents and does not allow reading of arbitrary files.
Recommendation
Update to version 6.4.9 later.
Permalink: https://github.com/advisories/GHSA-q2qh-cgc2-qhr3JSON: https://advisories.ecosyste.ms/api/v1/advisories/MDE2OlNlY3VyaXR5QWR2aXNvcnlHSFNBLXEycWgtY2djMi1xaHIz
Source: GitHub Advisory Database
Origin: Unspecified
Severity: Moderate
Classification: General
Published: over 5 years ago
Updated: about 1 year ago
CVSS Score: 6.5
CVSS vector: CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N
Identifiers: GHSA-q2qh-cgc2-qhr3, CVE-2018-3712
References:
- https://nvd.nist.gov/vuln/detail/CVE-2018-3712
- https://hackerone.com/reports/307666
- https://github.com/zeit/serve/pull/316
- https://github.com/vercel/serve/commit/6adad6881c61991da61ebc857857c53409544575
- https://github.com/advisories/GHSA-q2qh-cgc2-qhr3
Blast Radius: 32.6
Affected Packages
npm:serve
Dependent packages: 5,061Dependent repositories: 103,043
Downloads: 6,258,606 last month
Affected Version Ranges: <= 6.4.8
Fixed in: 6.4.9
All affected versions: 0.0.1, 0.0.2, 0.0.3, 0.0.4, 0.0.5, 1.0.0, 1.0.1, 1.0.2, 1.0.3, 1.1.0, 1.2.0, 1.3.0, 1.4.0, 2.0.0, 2.1.0, 2.1.1, 2.1.2, 2.2.0, 2.3.0, 2.4.0, 2.4.1, 2.4.2, 2.4.3, 2.4.4, 3.0.0, 3.0.1, 3.0.2, 3.1.0, 3.2.0, 3.2.1, 3.2.2, 3.2.3, 3.2.4, 3.2.5, 3.2.6, 3.2.7, 3.2.8, 3.2.9, 3.2.10, 3.3.0, 3.3.1, 3.4.0, 3.4.1, 4.0.0, 4.0.1, 4.0.2, 5.0.0, 5.0.1, 5.0.2, 5.0.3, 5.0.4, 5.1.0, 5.1.1, 5.1.2, 5.1.3, 5.1.4, 5.1.5, 5.2.0, 5.2.1, 5.2.2, 5.2.3, 5.2.4, 6.0.0, 6.0.1, 6.0.2, 6.0.3, 6.0.4, 6.0.5, 6.0.6, 6.1.0, 6.2.0, 6.3.0, 6.3.1, 6.4.0, 6.4.1, 6.4.2, 6.4.3, 6.4.4, 6.4.5, 6.4.6, 6.4.7, 6.4.8
All unaffected versions: 6.4.9, 6.4.10, 6.4.11, 6.5.0, 6.5.1, 6.5.2, 6.5.3, 6.5.4, 6.5.5, 6.5.6, 6.5.7, 6.5.8, 7.0.0, 7.0.1, 7.1.0, 7.1.1, 7.1.2, 7.1.3, 7.1.4, 7.1.5, 7.1.6, 7.2.0, 8.0.0, 8.1.0, 8.1.1, 8.1.2, 8.1.3, 8.1.4, 8.2.0, 9.0.0, 9.1.0, 9.1.1, 9.1.2, 9.2.0, 9.3.0, 9.4.0, 9.4.1, 9.4.2, 9.6.0, 10.0.0, 10.0.1, 10.0.2, 10.1.0, 10.1.1, 10.1.2, 11.0.0, 11.0.1, 11.0.2, 11.1.0, 11.2.0, 11.3.0, 11.3.1, 11.3.2, 12.0.0, 12.0.1, 13.0.0, 13.0.1, 13.0.2, 13.0.3, 13.0.4, 14.0.0, 14.0.1, 14.1.0, 14.1.1, 14.1.2, 14.2.0, 14.2.1, 14.2.2