GHSA-54xj-q58h-9x57

Source

https://github.com/advisories/GHSA-54xj-q58h-9x57

Import Source

https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2020/09/GHSA-54xj-q58h-9x57/GHSA-54xj-q58h-9x57.json

JSON Data

https://api.osv.dev/v1/vulns/GHSA-54xj-q58h-9x57

Aliases

CVE-2019-10765

Published

2020-09-04T15:24:56Z

Modified

2025-01-14T07:14:16.096323Z

Severity

9.8 (Critical) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H CVSS Calculator

Summary

Arbitrary File Write in iobroker.admin

Details

Versions of iobroker.admin prior to 3.6.12 are vulnerable to Path Traversal. The package fails to restrict access to folders outside of the intended folder in the /log/ route, which may allow attackers to include arbitrary files in the system. An attacker would need to be authenticated to perform the attack but the package has authentication disabled by default.

Recommendation

Upgrade to version 3.6.12 or later.

Database specific

{
    "nvd_published_at": null,
    "github_reviewed_at": "2020-08-31T18:55:50Z",
    "severity": "CRITICAL",
    "github_reviewed": true,
    "cwe_ids": [
        "CWE-22"
    ]
}

References

Affected packages

npm / iobroker.admin

Package

Name: iobroker.admin; View open source insights on deps.dev
Purl: pkg:npm/iobroker.admin

Affected ranges

Type: SEMVER
Events: Introduced

0Unknown introduced version / All previous versions are affected

Fixed

3.6.12