CVE-2017-16130 - OpenCVE

exxxxxxxxxxx is an Http eX Frame Google Style JavaScript Guide. exxxxxxxxxxx is vulnerable to a directory traversal issue, giving an attacker access to the filesystem by placing "../" in the url. Accessible files are restricted to those with a file extension. Files with no extension such as /etc/passwd throw an error.

No CVSS v4.0

No CVSS v3.1

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact High

Integrity Impact None

Availability Impact None

User Interaction None

Access Vector Network

Access Complexity Low

Authentication None

Confidentiality Impact Partial

Integrity Impact None

Availability Impact None

AV:N/AC:L/Au:N/C:P/I:N/A:N

This CVE is not in the KEV list.

Key SSVC decision points have not yet been added.

Vendors	Products
Exxxxxxxxxxx Project	Exxxxxxxxxxx

Configuration 1 [-]

OR	cpe:2.3:a:exxxxxxxxxxx_project:exxxxxxxxxxx:1.0.0:::::node.js::
	cpe:2.3:a:exxxxxxxxxxx_project:exxxxxxxxxxx:1.0.2:::::node.js::

No data.

References

Link	Providers
https://github.com/JacksonGL/NPM-Vuln-PoC/blob/master/directory-traversal/exxxxxxxxxxx
https://nodesecurity.io/advisories/478

History

No history.

MITRE

Status: PUBLISHED

Assigner: hackerone

Published: 2018-06-07T02:00:00Z

Updated: 2024-09-17T03:43:42.412Z

Reserved: 2017-10-29T00:00:00

Link: CVE-2017-16130

Vulnrichment

No data.

NVD

Status : Modified

Published: 2018-06-07T02:29:03.503

Modified: 2019-10-09T23:24:49.127

Link: CVE-2017-16130

Redhat

No data.

{"containers": {"cna": {"affected": [{"product": "exxxxxxxxxxx node module", "vendor": "HackerOne", "versions": [{"status": "affected", "version": "All versions"}]}], "datePublic": "2018-04-26T00:00:00", "descriptions": [{"lang": "en", "value": "exxxxxxxxxxx is an Http eX Frame Google Style JavaScript Guide. exxxxxxxxxxx is vulnerable to a directory traversal issue, giving an attacker access to the filesystem by placing \"../\" in the url. Accessible files are restricted to those with a file extension. Files with no extension such as /etc/passwd throw an error."}], "problemTypes": [{"descriptions": [{"cweId": "CWE-22", "description": "Path Traversal (CWE-22)", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"dateUpdated": "2018-06-07T01:57:01", "orgId": "36234546-b8fa-4601-9d6f-f4e334aa8ea1", "shortName": "hackerone"}, "references": [{"tags": ["x_refsource_MISC"], "url": "https://nodesecurity.io/advisories/478"}, {"tags": ["x_refsource_MISC"], "url": "https://github.com/JacksonGL/NPM-Vuln-PoC/blob/master/directory-traversal/exxxxxxxxxxx"}], "x_legacyV4Record": {"CVE_data_meta": {"ASSIGNER": "support@hackerone.com", "DATE_PUBLIC": "2018-04-26T00:00:00", "ID": "CVE-2017-16130", "STATE": "PUBLIC"}, "affects": {"vendor": {"vendor_data": [{"product": {"product_data": [{"product_name": "exxxxxxxxxxx node module", "version": {"version_data": [{"version_value": "All versions"}]}}]}, "vendor_name": "HackerOne"}]}}, "data_format": "MITRE", "data_type": "CVE", "data_version": "4.0", "description": {"description_data": [{"lang": "eng", "value": "exxxxxxxxxxx is an Http eX Frame Google Style JavaScript Guide. exxxxxxxxxxx is vulnerable to a directory traversal issue, giving an attacker access to the filesystem by placing \"../\" in the url. Accessible files are restricted to those with a file extension. Files with no extension such as /etc/passwd throw an error."}]}, "problemtype": {"problemtype_data": [{"description": [{"lang": "eng", "value": "Path Traversal (CWE-22)"}]}]}, "references": {"reference_data": [{"name": "https://nodesecurity.io/advisories/478", "refsource": "MISC", "url": "https://nodesecurity.io/advisories/478"}, {"name": "https://github.com/JacksonGL/NPM-Vuln-PoC/blob/master/directory-traversal/exxxxxxxxxxx", "refsource": "MISC", "url": "https://github.com/JacksonGL/NPM-Vuln-PoC/blob/master/directory-traversal/exxxxxxxxxxx"}]}}}, "adp": [{"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-05T20:13:07.264Z"}, "title": "CVE Program Container", "references": [{"tags": ["x_refsource_MISC", "x_transferred"], "url": "https://nodesecurity.io/advisories/478"}, {"tags": ["x_refsource_MISC", "x_transferred"], "url": "https://github.com/JacksonGL/NPM-Vuln-PoC/blob/master/directory-traversal/exxxxxxxxxxx"}]}]}, "cveMetadata": {"assignerOrgId": "36234546-b8fa-4601-9d6f-f4e334aa8ea1", "assignerShortName": "hackerone", "cveId": "CVE-2017-16130", "datePublished": "2018-06-07T02:00:00Z", "dateReserved": "2017-10-29T00:00:00", "dateUpdated": "2024-09-17T03:43:42.412Z", "state": "PUBLISHED"}, "dataType": "CVE_RECORD", "dataVersion": "5.1"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:exxxxxxxxxxx_project:exxxxxxxxxxx:1.0.0:*:*:*:*:node.js:*:*", "matchCriteriaId": "B3EFF6C9-21D3-4B7F-80A5-88B953DA63F2", "vulnerable": true}, {"criteria": "cpe:2.3:a:exxxxxxxxxxx_project:exxxxxxxxxxx:1.0.2:*:*:*:*:node.js:*:*", "matchCriteriaId": "C852872B-B806-4AA8-8B02-337348DFCE0A", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "exxxxxxxxxxx is an Http eX Frame Google Style JavaScript Guide. exxxxxxxxxxx is vulnerable to a directory traversal issue, giving an attacker access to the filesystem by placing \"../\" in the url. Accessible files are restricted to those with a file extension. Files with no extension such as /etc/passwd throw an error."}, {"lang": "es", "value": "\"exxxxxxxxxxx\" es una gu\u00eda de estilo de JavaScript de Google para el frame eX Http. \"exxxxxxxxxxx\" es vulnerable a un problema de salto de directorio que otorga a un atacante acceso al sistema de archivos colocando \"../\" en la URL. Los archivos accesibles se restringen a los que tienen una extensi\u00f3n de archivo. Los archivos que no tienen extensi\u00f3n, como por ejemplo /etc/passwd, generan un error."}], "id": "CVE-2017-16130", "lastModified": "2019-10-09T23:24:49.127", "metrics": {"cvssMetricV2": [{"acInsufInfo": true, "baseSeverity": "MEDIUM", "cvssData": {"accessComplexity": "LOW", "accessVector": "NETWORK", "authentication": "NONE", "availabilityImpact": "NONE", "baseScore": 5.0, "confidentialityImpact": "PARTIAL", "integrityImpact": "NONE", "vectorString": "AV:N/AC:L/Au:N/C:P/I:N/A:N", "version": "2.0"}, "exploitabilityScore": 10.0, "impactScore": 2.9, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "source": "nvd@nist.gov", "type": "Primary", "userInteractionRequired": false}], "cvssMetricV30": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 7.5, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N", "version": "3.0"}, "exploitabilityScore": 3.9, "impactScore": 3.6, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2018-06-07T02:29:03.503", "references": [{"source": "support@hackerone.com", "tags": ["Exploit", "Third Party Advisory"], "url": "https://github.com/JacksonGL/NPM-Vuln-PoC/blob/master/directory-traversal/exxxxxxxxxxx"}, {"source": "support@hackerone.com", "tags": ["Third Party Advisory"], "url": "https://nodesecurity.io/advisories/478"}], "sourceIdentifier": "support@hackerone.com", "vulnStatus": "Modified", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-22"}], "source": "nvd@nist.gov", "type": "Primary"}, {"description": [{"lang": "en", "value": "CWE-22"}], "source": "support@hackerone.com", "type": "Secondary"}]}