Ecosyste.ms: Advisories
An open API service providing security vulnerability metadata for many open source software ecosystems.
Security Advisories: MDE2OlNlY3VyaXR5QWR2aXNvcnlHSFNBLXhnNzUtMzI3Ny1ndnZq
Directory Traversal in serve
Versions of serve before 7.1.3 are vulnerable to Directory Traversal. File paths are not sanitized leading to unauthorized access of system files.
Recommendation
Upgrade to version 7.1.3 or later
Permalink: https://github.com/advisories/GHSA-xg75-3277-gvvjJSON: https://advisories.ecosyste.ms/api/v1/advisories/MDE2OlNlY3VyaXR5QWR2aXNvcnlHSFNBLXhnNzUtMzI3Ny1ndnZq
Source: GitHub Advisory Database
Origin: Unspecified
Severity: High
Classification: General
Published: over 5 years ago
Updated: almost 2 years ago
CVSS Score: 7.5
CVSS vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
EPSS Percentage: 0.00902
EPSS Percentile: 0.83016
Identifiers: GHSA-xg75-3277-gvvj, CVE-2019-5417
References:
- https://nvd.nist.gov/vuln/detail/CVE-2019-5417
- https://hackerone.com/reports/358645
- https://github.com/advisories/GHSA-xg75-3277-gvvj
- https://www.npmjs.com/advisories/795
Affected Packages
npm:serve
Dependent packages: 5,061Dependent repositories: 103,043
Downloads: 5,655,102 last month
Affected Version Ranges: < 7.1.3
Fixed in: 7.1.3
All affected versions: 0.0.1, 0.0.2, 0.0.3, 0.0.4, 0.0.5, 1.0.0, 1.0.1, 1.0.2, 1.0.3, 1.1.0, 1.2.0, 1.3.0, 1.4.0, 2.0.0, 2.1.0, 2.1.1, 2.1.2, 2.2.0, 2.3.0, 2.4.0, 2.4.1, 2.4.2, 2.4.3, 2.4.4, 3.0.0, 3.0.1, 3.0.2, 3.1.0, 3.2.0, 3.2.1, 3.2.2, 3.2.3, 3.2.4, 3.2.5, 3.2.6, 3.2.7, 3.2.8, 3.2.9, 3.2.10, 3.3.0, 3.3.1, 3.4.0, 3.4.1, 4.0.0, 4.0.1, 4.0.2, 5.0.0, 5.0.1, 5.0.2, 5.0.3, 5.0.4, 5.1.0, 5.1.1, 5.1.2, 5.1.3, 5.1.4, 5.1.5, 5.2.0, 5.2.1, 5.2.2, 5.2.3, 5.2.4, 6.0.0, 6.0.1, 6.0.2, 6.0.3, 6.0.4, 6.0.5, 6.0.6, 6.1.0, 6.2.0, 6.3.0, 6.3.1, 6.4.0, 6.4.1, 6.4.2, 6.4.3, 6.4.4, 6.4.5, 6.4.6, 6.4.7, 6.4.8, 6.4.9, 6.4.10, 6.4.11, 6.5.0, 6.5.1, 6.5.2, 6.5.3, 6.5.4, 6.5.5, 6.5.6, 6.5.7, 6.5.8, 7.0.0, 7.0.1, 7.1.0, 7.1.1, 7.1.2
All unaffected versions: 7.1.3, 7.1.4, 7.1.5, 7.1.6, 7.2.0, 8.0.0, 8.1.0, 8.1.1, 8.1.2, 8.1.3, 8.1.4, 8.2.0, 9.0.0, 9.1.0, 9.1.1, 9.1.2, 9.2.0, 9.3.0, 9.4.0, 9.4.1, 9.4.2, 9.6.0, 10.0.0, 10.0.1, 10.0.2, 10.1.0, 10.1.1, 10.1.2, 11.0.0, 11.0.1, 11.0.2, 11.1.0, 11.2.0, 11.3.0, 11.3.1, 11.3.2, 12.0.0, 12.0.1, 13.0.0, 13.0.1, 13.0.2, 13.0.3, 13.0.4, 14.0.0, 14.0.1, 14.1.0, 14.1.1, 14.1.2, 14.2.0, 14.2.1, 14.2.2, 14.2.3, 14.2.4