GHSA-cmch-296j-wfvw

Source

https://github.com/advisories/GHSA-cmch-296j-wfvw

Import Source

https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2019/12/GHSA-cmch-296j-wfvw/GHSA-cmch-296j-wfvw.json

JSON Data

https://api.osv.dev/v1/vulns/GHSA-cmch-296j-wfvw

Aliases

CVE-2019-10767

Published

2019-12-02T18:06:14Z

Modified

2025-01-14T07:14:15.140646Z

Severity

7.5 (High) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N CVSS Calculator

Summary

Arbitrary File Write in iobroker.js-controller

Details

Versions of iobroker.controller prior to 2.0.25 are vulnerable to Path Traversal. The package fails to restrict access to folders outside of the intended /adapter/<adapter-name> folder, which may allow attackers to include arbitrary files in the system. An attacker would need to be authenticated to perform the attack but the package has authentication disabled by default.

Recommendation

Upgrade to version 2.0.25 or later.

Database specific

{
    "nvd_published_at": null,
    "github_reviewed_at": "2019-11-27T03:26:55Z",
    "severity": "HIGH",
    "github_reviewed": true,
    "cwe_ids": [
        "CWE-22"
    ]
}

References

Affected packages

npm / iobroker.js-controller

Package

Name: iobroker.js-controller; View open source insights on deps.dev
Purl: pkg:npm/iobroker.js-controller

Affected ranges

Type: SEMVER
Events: Introduced

0Unknown introduced version / All previous versions are affected

Fixed

2.0.25