Lucene search

GitHub Advisory DatabaseGHSA-7C9W-QMRQ-FF8R

HistoryFeb 07, 2019 - 6:14 p.m.

Path Traversal in http-live-simulator

2019-02-0718:14:21

CWE-22

GitHub Advisory Database

github.com

5 Medium

CVSS2

Attack Vector

NETWORK

Attack Complexity

LOW

Authentication

NONE

Confidentiality Impact

PARTIAL

Integrity Impact

NONE

Availability Impact

NONE

AV:N/AC:L/Au:N/C:P/I:N/A:N

7.5 High

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

NONE

Availability Impact

NONE

CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

0.004 Low

EPSS

Percentile

75.2%

JSON

Versions of http-live-simulator prior to 1.0.7 are vulnerable to Path Traversal. Due to insufficient input sanitization, attackers can access server files by using relative paths. For example: curl --path-as-is http://localhost:8080//../../../../etc/passwd.

Recommendation

Upgrade to version 1.0.7

Affected configurations

Vulners

Node

http-live-simulator_projecthttp-live-simulatorRange<1.0.7node.js

CPENameOperatorVersion
http-live-simulatorlt1.0.7

CPE	Name	Operator	Version
	http-live-simulator	lt	1.0.7

References

github.com/advisories/GHSA-7c9w-qmrq-ff8r

github.com/nodejs/security-wg/blob/master/vuln/npm/486.json

hackerone.com/reports/411405

nvd.nist.gov/vuln/detail/CVE-2018-16479

www.npmjs.com/advisories/772

5 Medium

CVSS2

Attack Vector

NETWORK

Attack Complexity

LOW

Authentication

NONE

Confidentiality Impact

PARTIAL

Integrity Impact

NONE

Availability Impact

NONE

AV:N/AC:L/Au:N/C:P/I:N/A:N

7.5 High

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

NONE

Availability Impact

NONE

CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

0.004 Low

EPSS

Percentile

75.2%

JSON

Related for GHSA-7C9W-QMRQ-FF8R