GHSA-mm7r-265w-jv6f

Source

https://github.com/advisories/GHSA-mm7r-265w-jv6f

Import Source

https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2020/09/GHSA-mm7r-265w-jv6f/GHSA-mm7r-265w-jv6f.json

JSON Data

https://api.osv.dev/v1/vulns/GHSA-mm7r-265w-jv6f

Aliases

CVE-2020-8135

Published

2020-09-03T15:51:19Z

Modified

2023-11-08T04:04:14.077505Z

Summary

Server-Side Request Forgery in @uppy/companion

Details

Versions of @uppy/companion prior to 1.9.3 are vulnerable to Server-Side Request Forgery (SSRF). The get route passes the user-controlled variable req.body.url to a GET request without sanitizing the value. This allows attackers to inject arbitrary URLs and make GET requests on behalf of the server.

Recommendation

Upgrade to version 1.9.3 or later.

Database specific

{
    "github_reviewed": true,
    "github_reviewed_at": "2020-08-31T19:01:35Z",
    "nvd_published_at": null,
    "severity": "HIGH",
    "cwe_ids": [
        "CWE-918"
    ]
}

References

Affected packages

npm / @uppy/companion

Package

Name: @uppy/companion; View open source insights on deps.dev
Purl: pkg:npm/%40uppy/companion

Affected ranges

Type: SEMVER
Events: Introduced

0Unknown introduced version / All previous versions are affected

Fixed

1.9.3