Ecosyste.ms: Advisories
An open API service providing security vulnerability metadata for many open source software ecosystems.
Security Advisories: MDE2OlNlY3VyaXR5QWR2aXNvcnlHSFNBLXZmcDktZ3dyaC13cTln
Path Traversal in crud-file-server
Versions of crud-file-server prior to 0.9.0 are vulnerable to Path Traversal. The package fails to sanitize URLs, allowing attackers to access server files outside of the served folder using relative paths.
Recommendation
Upgrade to version 0.9.0 or later.
Permalink: https://github.com/advisories/GHSA-vfp9-gwrh-wq9gJSON: https://advisories.ecosyste.ms/api/v1/advisories/MDE2OlNlY3VyaXR5QWR2aXNvcnlHSFNBLXZmcDktZ3dyaC13cTln
Source: GitHub Advisory Database
Origin: Unspecified
Severity: High
Classification: General
Published: over 6 years ago
Updated: over 1 year ago
CVSS Score: 7.5
CVSS vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
Identifiers: GHSA-vfp9-gwrh-wq9g, CVE-2018-3733
References:
- https://nvd.nist.gov/vuln/detail/CVE-2018-3733
- https://hackerone.com/reports/310690
- https://github.com/advisories/GHSA-vfp9-gwrh-wq9g
- https://www.npmjs.com/advisories/1003
- https://github.com/omphalos/crud-file-server/commit/4fc3b404f718abb789f4ce4272c39c7a138c7a82
Blast Radius: 3.6
Affected Packages
npm:crud-file-server
Dependent packages: 1Dependent repositories: 3
Downloads: 43 last month
Affected Version Ranges: < 0.9.0
Fixed in: 0.9.0
All affected versions: 0.0.1, 0.0.2, 0.0.3, 0.0.4, 0.0.5, 0.0.6, 0.0.7, 0.0.9, 0.1.0, 0.1.1, 0.1.2, 0.1.3, 0.1.4, 0.1.5, 0.1.6, 0.1.7, 0.1.8, 0.1.9, 0.2.0, 0.2.1, 0.2.2, 0.2.3, 0.4.1, 0.5.0, 0.6.0, 0.7.0, 0.8.0
All unaffected versions: 0.9.0, 0.10.0