GHSA-4wch-fwmx-cf47

Source

https://github.com/advisories/GHSA-4wch-fwmx-cf47

Import Source

https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2018/09/GHSA-4wch-fwmx-cf47/GHSA-4wch-fwmx-cf47.json

JSON Data

https://api.osv.dev/v1/vulns/GHSA-4wch-fwmx-cf47

Aliases

CVE-2017-0930

Published

2018-09-18T13:50:25Z

Modified

2023-11-08T03:58:41.288112Z

Severity

6.5 (Medium) CVSS_V3 - CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N CVSS Calculator

Summary

Directory Traversal in augustine

Details

Affected versions of augustine resolve relative file paths, resulting in a directory traversal vulnerability. A malicious actor can use this vulnerability to access files outside of the intended directory root, which may result in the disclosure of private files on the vulnerable system.

Proof of Concept

GET //etc/passwd HTTP/1.1
host:foo

Recommendation

No direct patch is available at this time.

Currently, the best mitigation for this flaw is to use a different, functionally equivalent static file server package.

Database specific

{
    "cwe_ids": [
        "CWE-22"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2020-06-16T20:59:26Z",
    "nvd_published_at": null,
    "severity": "MODERATE"
}

References

Affected packages

npm / augustine

Package

Name: augustine; View open source insights on deps.dev
Purl: pkg:npm/augustine

Affected ranges

Type: SEMVER
Events: Introduced

0Unknown introduced version / All previous versions are affected

Last affected

0.2.3

Database specific

source

"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2018/09/GHSA-4wch-fwmx-cf47/GHSA-4wch-fwmx-cf47.json"