github - ghsa-45j8-pm75-5v8x

GHSA-45J8-PM75-5V8X

Vulnerability from github – Published: 2019-02-07 18:18 – Updated: 2020-08-31 18:42

Summary

Path Traversal in simplehttpserver

Details

Versions of simplehttpserver prior to 0.2.1 are vulnerable to Path Traversal. Due to insufficient input sanitization, attackers can access server files by using relative paths.

Recommendation

Upgrade to version 0.2.1 or later.

Show details on source website

JSON

To clipboard

{
  "affected": [
    {
      "package": {
        "ecosystem": "npm",
        "name": "static-resource-server"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "last_affected": "1.7.2"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2018-16493"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-548"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2020-06-16T20:57:24Z",
    "nvd_published_at": null,
    "severity": "HIGH"
  },
  "details": "Versions of `simplehttpserver` prior to 0.2.1 are vulnerable to Path Traversal.  Due to insufficient input sanitization, attackers can access server files by using relative paths. \n\n\n## Recommendation\n\nUpgrade to version 0.2.1 or later.",
  "id": "GHSA-45j8-pm75-5v8x",
  "modified": "2020-08-31T18:42:22Z",
  "published": "2019-02-07T18:18:04Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2018-16493"
    },
    {
      "type": "WEB",
      "url": "https://hackerone.com/reports/357109"
    },
    {
      "type": "WEB",
      "url": "https://hackerone.com/reports/432600"
    },
    {
      "type": "ADVISORY",
      "url": "https://github.com/advisories/GHSA-45j8-pm75-5v8x"
    },
    {
      "type": "WEB",
      "url": "https://www.npmjs.com/advisories/967"
    },
    {
      "type": "WEB",
      "url": "https://www.npmjs.com/advisories/968"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [],
  "summary": "Path Traversal in simplehttpserver"
}

CVE-2018-16493 (GCVE-0-2018-16493)

Vulnerability from cvelistv5 – Published: 2019-02-01 18:00 – Updated: 2024-08-05 10:24

Summary

A path traversal vulnerability was found in module static-resource-server 1.7.2 that allows unauthorized read access to any file on the server by appending slashes in the URL.

Severity ?

No CVSS data available.

CWE

CWE-548 - Information Exposure Through Directory Listing (CWE-548)

Assigner

hackerone

References

URL

Tags

https://hackerone.com/reports/432600

x_refsource_MISC

Impacted products

	Vendor	Product	Version
	HackerOne	static-resource-server	Affected: 1.7.2

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "providerMetadata": {
          "dateUpdated": "2024-08-05T10:24:32.903Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "tags": [
              "x_refsource_MISC",
              "x_transferred"
            ],
            "url": "https://hackerone.com/reports/432600"
          }
        ],
        "title": "CVE Program Container"
      }
    ],
    "cna": {
      "affected": [
        {
          "product": "static-resource-server",
          "vendor": "HackerOne",
          "versions": [
            {
              "status": "affected",
              "version": "1.7.2"
            }
          ]
        }
      ],
      "datePublic": "2019-02-01T00:00:00",
      "descriptions": [
        {
          "lang": "en",
          "value": "A path traversal vulnerability was found in module static-resource-server 1.7.2 that allows unauthorized read access to any file on the server by appending slashes in the URL."
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-548",
              "description": "Information Exposure Through Directory Listing (CWE-548)",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2019-02-01T17:57:01",
        "orgId": "36234546-b8fa-4601-9d6f-f4e334aa8ea1",
        "shortName": "hackerone"
      },
      "references": [
        {
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://hackerone.com/reports/432600"
        }
      ],
      "x_legacyV4Record": {
        "CVE_data_meta": {
          "ASSIGNER": "support@hackerone.com",
          "ID": "CVE-2018-16493",
          "STATE": "PUBLIC"
        },
        "affects": {
          "vendor": {
            "vendor_data": [
              {
                "product": {
                  "product_data": [
                    {
                      "product_name": "static-resource-server",
                      "version": {
                        "version_data": [
                          {
                            "version_value": "1.7.2"
                          }
                        ]
                      }
                    }
                  ]
                },
                "vendor_name": "HackerOne"
              }
            ]
          }
        },
        "data_format": "MITRE",
        "data_type": "CVE",
        "data_version": "4.0",
        "description": {
          "description_data": [
            {
              "lang": "eng",
              "value": "A path traversal vulnerability was found in module static-resource-server 1.7.2 that allows unauthorized read access to any file on the server by appending slashes in the URL."
            }
          ]
        },
        "problemtype": {
          "problemtype_data": [
            {
              "description": [
                {
                  "lang": "eng",
                  "value": "Information Exposure Through Directory Listing (CWE-548)"
                }
              ]
            }
          ]
        },
        "references": {
          "reference_data": [
            {
              "name": "https://hackerone.com/reports/432600",
              "refsource": "MISC",
              "url": "https://hackerone.com/reports/432600"
            }
          ]
        }
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "36234546-b8fa-4601-9d6f-f4e334aa8ea1",
    "assignerShortName": "hackerone",
    "cveId": "CVE-2018-16493",
    "datePublished": "2019-02-01T18:00:00",
    "dateReserved": "2018-09-04T00:00:00",
    "dateUpdated": "2024-08-05T10:24:32.903Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1"
}

Sightings

Author	Source	Type	Date

Nomenclature

Seen: The vulnerability was mentioned, discussed, or observed by the user.
Confirmed: The vulnerability has been validated from an analyst's perspective.
Published Proof of Concept: A public proof of concept is available for this vulnerability.
Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
Not confirmed: The user expressed doubt about the validity of the vulnerability.
Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.

Detection rules are retrieved from Rulezet.

Action not permitted