GHSA-xf27-jqwv-gf3r

Suggest an improvement
Source
https://github.com/advisories/GHSA-xf27-jqwv-gf3r
Import Source
https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2019/09/GHSA-xf27-jqwv-gf3r/GHSA-xf27-jqwv-gf3r.json
JSON Data
https://api.osv.dev/v1/vulns/GHSA-xf27-jqwv-gf3r
Aliases
  • CVE-2019-5479
Published
2019-09-11T23:03:57Z
Modified
2023-11-08T04:01:36.773667Z
Severity
  • 7.5 (High) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N CVSS Calculator
Summary
Unintended Require in larvitbase-api
Details

Versions of larvitbase-api prior to 0.5.4 are vulnerable to an Unintended Require. The package exposes an API endpoint and passes a GET parameter unsanitized to an require() call. This allows attackers to execute any .js file in the same folder as the server is running.

Recommendation

Upgrade to version 0.5.4 or later.

Database specific 
{
    "cwe_ids": [
        "CWE-829"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2019-09-04T14:29:28Z",
    "nvd_published_at": null,
    "severity": "HIGH"
}
References

Affected packages

npm / larvitbase-api

Package

Name
larvitbase-api
View open source insights on deps.dev
Purl
pkg:npm/larvitbase-api

Affected ranges

Type
SEMVER
Events
Introduced
0Unknown introduced version / All previous versions are affected
Fixed
0.5.5

Database specific

source 
"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2019/09/GHSA-xf27-jqwv-gf3r/GHSA-xf27-jqwv-gf3r.json"