Ecosyste.ms: Advisories

An open API service providing security vulnerability metadata for many open source software ecosystems.

Security Advisories: MDE2OlNlY3VyaXR5QWR2aXNvcnlHSFNBLXZmcDktZ3dyaC13cTln

Path Traversal in crud-file-server

Versions of crud-file-server prior to 0.9.0 are vulnerable to Path Traversal. The package fails to sanitize URLs, allowing attackers to access server files outside of the served folder using relative paths.

Recommendation

Upgrade to version 0.9.0 or later.

Permalink: https://github.com/advisories/GHSA-vfp9-gwrh-wq9g
JSON: https://advisories.ecosyste.ms/api/v1/advisories/MDE2OlNlY3VyaXR5QWR2aXNvcnlHSFNBLXZmcDktZ3dyaC13cTln
Source: GitHub Advisory Database
Origin: Unspecified
Severity: High
Classification: General
Published: over 6 years ago
Updated: almost 2 years ago


CVSS Score: 7.5
CVSS vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

EPSS Percentage: 0.00413
EPSS Percentile: 0.73646

Identifiers: GHSA-vfp9-gwrh-wq9g, CVE-2018-3733
References: Repository: https://github.com/omphalos/crud-file-server
Blast Radius: 3.6

Affected Packages

npm:crud-file-server
Dependent packages: 1
Dependent repositories: 3
Downloads: 30 last month
Affected Version Ranges: < 0.9.0
Fixed in: 0.9.0
All affected versions: 0.0.1, 0.0.2, 0.0.3, 0.0.4, 0.0.5, 0.0.6, 0.0.7, 0.0.9, 0.1.0, 0.1.1, 0.1.2, 0.1.3, 0.1.4, 0.1.5, 0.1.6, 0.1.7, 0.1.8, 0.1.9, 0.2.0, 0.2.1, 0.2.2, 0.2.3, 0.4.1, 0.5.0, 0.6.0, 0.7.0, 0.8.0
All unaffected versions: 0.9.0, 0.10.0