GHSA-cqv6-7fwc-8m3c

Source

https://github.com/advisories/GHSA-cqv6-7fwc-8m3c

Import Source

https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2020/09/GHSA-cqv6-7fwc-8m3c/GHSA-cqv6-7fwc-8m3c.json

JSON Data

https://api.osv.dev/v1/vulns/GHSA-cqv6-7fwc-8m3c

Aliases

CVE-2017-16091

Published

2020-09-01T16:44:59Z

Modified

2023-11-08T03:59:04.303570Z

Severity

7.5 (High) CVSS_V3 - CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N CVSS Calculator

Summary

Directory Traversal in xtalk

Details

Affected versions of xtalk are vulnerable to directory traversal, allowing access to the filesystem by placing "../" in the URL.

Example request:

GET /../../../../../../../../../../etc/passwd HTTP/1.1
host:localhost

Recommendation

No patch is currently available for this vulnerability, and the package has not been updated since 2014.

The best mitigation is currently to avoid using this package, and using a different, functionally equivalent package.

Database specific

{
    "github_reviewed_at": "2020-08-31T18:19:52Z",
    "github_reviewed": true,
    "severity": "HIGH",
    "nvd_published_at": null,
    "cwe_ids": [
        "CWE-22"
    ]
}

References

Affected packages

npm / xtalk

Package

Name: xtalk; View open source insights on deps.dev
Purl: pkg:npm/xtalk

Affected ranges

Type: SEMVER
Events: Introduced

0.0.2

Database specific

source

"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2020/09/GHSA-cqv6-7fwc-8m3c/GHSA-cqv6-7fwc-8m3c.json"