Ecosyste.ms: Advisories
An open API service providing security vulnerability metadata for many open source software ecosystems.
Security Advisories: MDE2OlNlY3VyaXR5QWR2aXNvcnlHSFNBLXJ3djgtanZmZi1qcTI4
Path Traversal in public
Versions of public before 0.1.3 are vulnerable to path traversal. This is due to lack of file path sanitization which could lead to any file the parent process has access to on the server to be read by malicious user.
Recommendation
Update to version 0.1.3 or later.
Permalink: https://github.com/advisories/GHSA-rwv8-jvff-jq28JSON: https://advisories.ecosyste.ms/api/v1/advisories/MDE2OlNlY3VyaXR5QWR2aXNvcnlHSFNBLXJ3djgtanZmZi1qcTI4
Source: GitHub Advisory Database
Origin: Unspecified
Severity: High
Classification: General
Published: over 6 years ago
Updated: almost 2 years ago
CVSS Score: 7.5
CVSS vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
EPSS Percentage: 0.00449
EPSS Percentile: 0.75532
Identifiers: GHSA-rwv8-jvff-jq28, CVE-2018-3731
References:
- https://nvd.nist.gov/vuln/detail/CVE-2018-3731
- https://github.com/tnantoka/public/commit/eae8ad8017b260f8667ded5e12801bd72b877af2
- https://hackerone.com/reports/312918
- https://github.com/advisories/GHSA-rwv8-jvff-jq28
- https://www.npmjs.com/advisories/571
Blast Radius: 14.0
Affected Packages
npm:public
Dependent packages: 14Dependent repositories: 73
Downloads: 16,700 last month
Affected Version Ranges: <= 0.1.2
Fixed in: 0.1.3
All affected versions: 0.1.0, 0.1.1, 0.1.2
All unaffected versions: 0.1.3, 0.1.4, 0.1.5