Lucene search

K
osvGoogleOSV:GHSA-CMCH-296J-WFVW
HistoryDec 02, 2019 - 6:06 p.m.

Arbitrary File Write in iobroker.js-controller

2019-12-0218:06:14
Google
osv.dev
9

EPSS

0.003

Percentile

68.4%

Versions of iobroker.controller prior to 2.0.25 are vulnerable to Path Traversal. The package fails to restrict access to folders outside of the intended /adapter/<adapter-name> folder, which may allow attackers to include arbitrary files in the system. An attacker would need to be authenticated to perform the attack but the package has authentication disabled by default.

Recommendation

Upgrade to version 2.0.25 or later.

EPSS

0.003

Percentile

68.4%