GHSA-46hv-7769-j7rx

Suggest an improvement
Source
https://github.com/advisories/GHSA-46hv-7769-j7rx
Import Source
https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2019/06/GHSA-46hv-7769-j7rx/GHSA-46hv-7769-j7rx.json
JSON Data
https://api.osv.dev/v1/vulns/GHSA-46hv-7769-j7rx
Aliases
  • CVE-2019-5437
Published
2019-06-13T16:12:22Z
Modified
2023-11-08T04:01:36.165453Z
Severity
  • 5.3 (Medium) CVSS_V3 - CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N CVSS Calculator
Summary
Unauthorized File Access in harp
Details

Affected versions of harp are vulnerable to Unauthorized File Access. The package states that it ignores files and directories with names that start with an underscore, such as _secret-folder. If the underscore character is URL encoded the server delivers the file.

Recommendation

Upgrade to version 0.40.2 or later.

Database specific 
{
    "cwe_ids": [
        "CWE-548"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2019-06-13T16:10:40Z",
    "nvd_published_at": null,
    "severity": "MODERATE"
}
References

Affected packages

npm / harp

Package

Name
harp
View open source insights on deps.dev
Purl
pkg:npm/harp

Affected ranges

Type
SEMVER
Events
Introduced
0Unknown introduced version / All previous versions are affected
Fixed
0.40.2

Database specific

source 
"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2019/06/GHSA-46hv-7769-j7rx/GHSA-46hv-7769-j7rx.json"