CVE-2017-16222 - OpenCVE

elding is a simple web server. elding is vulnerable to a directory traversal issue, allowing an attacker to access the filesystem by placing "../" in the url. The files accessible, however, are limited to files with a file extension. Sending a GET request to /../../../etc/passwd, for example, will return a 404 on etc/passwd/index.js.

No CVSS v4.0

No CVSS v3.1

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact Low

Integrity Impact None

Availability Impact None

User Interaction None

Access Vector Network

Access Complexity Low

Authentication None

Confidentiality Impact Partial

Integrity Impact None

Availability Impact None

AV:N/AC:L/Au:N/C:P/I:N/A:N

This CVE is not in the KEV list.

Key SSVC decision points have not yet been added.

Vendors	Products
Elding Project	Elding

Configuration 1 [-]

cpe:2.3:a:elding_project:elding:1.0.0:*:*:*:*:node.js:*:*

No data.

References

Link	Providers
https://github.com/JacksonGL/NPM-Vuln-PoC/blob/master/directory-traversal/elding
https://nodesecurity.io/advisories/415

History

No history.

MITRE

Status: PUBLISHED

Assigner: hackerone

Published: 2018-06-07T02:00:00Z

Updated: 2024-09-17T03:44:17.687Z

Reserved: 2017-10-29T00:00:00

Link: CVE-2017-16222

Vulnrichment

No data.

NVD

Status : Modified

Published: 2018-06-07T02:29:07.630

Modified: 2019-10-09T23:24:59.487

Link: CVE-2017-16222

Redhat

No data.

{"containers": {"cna": {"affected": [{"product": "elding node module", "vendor": "HackerOne", "versions": [{"status": "affected", "version": "All versions"}]}], "datePublic": "2018-04-26T00:00:00", "descriptions": [{"lang": "en", "value": "elding is a simple web server. elding is vulnerable to a directory traversal issue, allowing an attacker to access the filesystem by placing \"../\" in the url. The files accessible, however, are limited to files with a file extension. Sending a GET request to /../../../etc/passwd, for example, will return a 404 on etc/passwd/index.js."}], "problemTypes": [{"descriptions": [{"cweId": "CWE-22", "description": "Path Traversal (CWE-22)", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"dateUpdated": "2018-06-07T01:57:01", "orgId": "36234546-b8fa-4601-9d6f-f4e334aa8ea1", "shortName": "hackerone"}, "references": [{"tags": ["x_refsource_MISC"], "url": "https://github.com/JacksonGL/NPM-Vuln-PoC/blob/master/directory-traversal/elding"}, {"tags": ["x_refsource_MISC"], "url": "https://nodesecurity.io/advisories/415"}], "x_legacyV4Record": {"CVE_data_meta": {"ASSIGNER": "support@hackerone.com", "DATE_PUBLIC": "2018-04-26T00:00:00", "ID": "CVE-2017-16222", "STATE": "PUBLIC"}, "affects": {"vendor": {"vendor_data": [{"product": {"product_data": [{"product_name": "elding node module", "version": {"version_data": [{"version_value": "All versions"}]}}]}, "vendor_name": "HackerOne"}]}}, "data_format": "MITRE", "data_type": "CVE", "data_version": "4.0", "description": {"description_data": [{"lang": "eng", "value": "elding is a simple web server. elding is vulnerable to a directory traversal issue, allowing an attacker to access the filesystem by placing \"../\" in the url. The files accessible, however, are limited to files with a file extension. Sending a GET request to /../../../etc/passwd, for example, will return a 404 on etc/passwd/index.js."}]}, "problemtype": {"problemtype_data": [{"description": [{"lang": "eng", "value": "Path Traversal (CWE-22)"}]}]}, "references": {"reference_data": [{"name": "https://github.com/JacksonGL/NPM-Vuln-PoC/blob/master/directory-traversal/elding", "refsource": "MISC", "url": "https://github.com/JacksonGL/NPM-Vuln-PoC/blob/master/directory-traversal/elding"}, {"name": "https://nodesecurity.io/advisories/415", "refsource": "MISC", "url": "https://nodesecurity.io/advisories/415"}]}}}, "adp": [{"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-05T20:20:05.524Z"}, "title": "CVE Program Container", "references": [{"tags": ["x_refsource_MISC", "x_transferred"], "url": "https://github.com/JacksonGL/NPM-Vuln-PoC/blob/master/directory-traversal/elding"}, {"tags": ["x_refsource_MISC", "x_transferred"], "url": "https://nodesecurity.io/advisories/415"}]}]}, "cveMetadata": {"assignerOrgId": "36234546-b8fa-4601-9d6f-f4e334aa8ea1", "assignerShortName": "hackerone", "cveId": "CVE-2017-16222", "datePublished": "2018-06-07T02:00:00Z", "dateReserved": "2017-10-29T00:00:00", "dateUpdated": "2024-09-17T03:44:17.687Z", "state": "PUBLISHED"}, "dataType": "CVE_RECORD", "dataVersion": "5.1"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:elding_project:elding:1.0.0:*:*:*:*:node.js:*:*", "matchCriteriaId": "BFF0FB08-A743-477F-B676-7E0E5596D687", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "elding is a simple web server. elding is vulnerable to a directory traversal issue, allowing an attacker to access the filesystem by placing \"../\" in the url. The files accessible, however, are limited to files with a file extension. Sending a GET request to /../../../etc/passwd, for example, will return a 404 on etc/passwd/index.js."}, {"lang": "es", "value": "\"elding\" es un servidor web simple. \"elding\" es vulnerable a un problema de salto de directorio que otorga a un atacante acceso al sistema de archivos colocando \"../\" en la URL. Sin embargo, los archivos accesibles se limitan a aquellos que tengan una extensi\u00f3n de archivo. Por ejemplo, el env\u00edo de una petici\u00f3n GET a /../../../etc/passwd devolver\u00e1 un error 404 en etc/passwd/index.js."}], "id": "CVE-2017-16222", "lastModified": "2019-10-09T23:24:59.487", "metrics": {"cvssMetricV2": [{"acInsufInfo": true, "baseSeverity": "MEDIUM", "cvssData": {"accessComplexity": "LOW", "accessVector": "NETWORK", "authentication": "NONE", "availabilityImpact": "NONE", "baseScore": 5.0, "confidentialityImpact": "PARTIAL", "integrityImpact": "NONE", "vectorString": "AV:N/AC:L/Au:N/C:P/I:N/A:N", "version": "2.0"}, "exploitabilityScore": 10.0, "impactScore": 2.9, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "source": "nvd@nist.gov", "type": "Primary", "userInteractionRequired": false}], "cvssMetricV30": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 5.3, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N", "version": "3.0"}, "exploitabilityScore": 3.9, "impactScore": 1.4, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2018-06-07T02:29:07.630", "references": [{"source": "support@hackerone.com", "tags": ["Exploit", "Third Party Advisory"], "url": "https://github.com/JacksonGL/NPM-Vuln-PoC/blob/master/directory-traversal/elding"}, {"source": "support@hackerone.com", "tags": ["Third Party Advisory"], "url": "https://nodesecurity.io/advisories/415"}], "sourceIdentifier": "support@hackerone.com", "vulnStatus": "Modified", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-22"}], "source": "nvd@nist.gov", "type": "Primary"}, {"description": [{"lang": "en", "value": "CWE-22"}], "source": "support@hackerone.com", "type": "Secondary"}]}