CVE-2023-26111 - OpenCVE

All versions of the package @nubosoftware/node-static; all versions of the package node-static are vulnerable to Directory Traversal due to improper file path sanitization in the startsWith() method in the servePath function.

No CVSS v4.0

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact High

Integrity Impact None

Availability Impact None

User Interaction None

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

Key SSVC decision points have not yet been added.

Vendors	Products
\@nubosoftware\/node-static Project	\@nubosoftware\/node-static
Node-static Project	Node-static

Configuration 1 [-]

OR	cpe:2.3:a:\@nubosoftware\/node-static_project:\@nubosoftware\/node-static:-:::::node.js::
	cpe:2.3:a:node-static_project:node-static:-:::::node.js::

No data.

References

Link	Providers
https://gist.github.com/lirantal/c80b28e7bee148dc287339cb483e42bc
https://github.com/cloudhead/node-static/blob/master/lib/node-static.js%23L160-L163
https://security.snyk.io/vuln/SNYK-JS-NODESTATIC-3149928
https://security.snyk.io/vuln/SNYK-JS-NUBOSOFTWARENODESTATIC-3149927

History

No history.

MITRE

Status: PUBLISHED

Assigner: snyk

Published: 2023-03-06T05:00:03.346Z

Updated: 2024-08-02T11:39:06.577Z

Reserved: 2023-02-20T10:28:48.922Z

Link: CVE-2023-26111

Vulnrichment

No data.

NVD

Status : Modified

Published: 2023-03-06T05:15:12.920

Modified: 2023-11-07T04:09:21.793

Link: CVE-2023-26111

Redhat

No data.

{"dataType": "CVE_RECORD", "dataVersion": "5.1", "cveMetadata": {"cveId": "CVE-2023-26111", "assignerOrgId": "bae035ff-b466-4ff4-94d0-fc9efd9e1730", "state": "PUBLISHED", "assignerShortName": "snyk", "dateReserved": "2023-02-20T10:28:48.922Z", "datePublished": "2023-03-06T05:00:03.346Z", "dateUpdated": "2024-08-02T11:39:06.577Z"}, "containers": {"cna": {"metrics": [{"cvssV3_1": {"version": "3.1", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "availabilityImpact": "NONE", "baseScore": 7.5, "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N/E:P"}}], "credits": [{"value": "Liran Tal", "lang": "en"}], "problemTypes": [{"descriptions": [{"cweId": "CWE-22", "description": "Directory Traversal", "lang": "en"}]}], "providerMetadata": {"orgId": "bae035ff-b466-4ff4-94d0-fc9efd9e1730", "shortName": "snyk", "dateUpdated": "2023-03-06T05:00:03.346Z"}, "descriptions": [{"value": "All versions of the package @nubosoftware/node-static; all versions of the package node-static are vulnerable to Directory Traversal due to improper file path sanitization in the startsWith() method in the servePath function.\r\r", "lang": "en"}], "references": [{"url": "https://security.snyk.io/vuln/SNYK-JS-NUBOSOFTWARENODESTATIC-3149927"}, {"url": "https://security.snyk.io/vuln/SNYK-JS-NODESTATIC-3149928"}, {"url": "https://gist.github.com/lirantal/c80b28e7bee148dc287339cb483e42bc"}, {"url": "https://github.com/cloudhead/node-static/blob/master/lib/node-static.js%23L160-L163"}], "affected": [{"product": "@nubosoftware/node-static", "versions": [{"version": "0", "lessThan": "*", "status": "affected", "versionType": "semver"}], "vendor": "n/a"}, {"product": "node-static", "versions": [{"version": "0", "lessThan": "*", "status": "affected", "versionType": "semver"}], "vendor": "n/a"}]}, "adp": [{"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-02T11:39:06.577Z"}, "title": "CVE Program Container", "references": [{"url": "https://security.snyk.io/vuln/SNYK-JS-NUBOSOFTWARENODESTATIC-3149927", "tags": ["x_transferred"]}, {"url": "https://security.snyk.io/vuln/SNYK-JS-NODESTATIC-3149928", "tags": ["x_transferred"]}, {"url": "https://gist.github.com/lirantal/c80b28e7bee148dc287339cb483e42bc", "tags": ["x_transferred"]}, {"url": "https://github.com/cloudhead/node-static/blob/master/lib/node-static.js%23L160-L163", "tags": ["x_transferred"]}]}]}}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:\\@nubosoftware\\/node-static_project:\\@nubosoftware\\/node-static:-:*:*:*:*:node.js:*:*", "matchCriteriaId": "A6C388A6-611C-43A6-9974-74E328554E18", "vulnerable": true}, {"criteria": "cpe:2.3:a:node-static_project:node-static:-:*:*:*:*:node.js:*:*", "matchCriteriaId": "954E5123-26DC-4031-9A2E-BF7998864795", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "All versions of the package @nubosoftware/node-static; all versions of the package node-static are vulnerable to Directory Traversal due to improper file path sanitization in the startsWith() method in the servePath function.\r\r"}], "id": "CVE-2023-26111", "lastModified": "2023-11-07T04:09:21.793", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 7.5, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 3.6, "source": "nvd@nist.gov", "type": "Primary"}, {"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 7.5, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 3.6, "source": "report@snyk.io", "type": "Secondary"}]}, "published": "2023-03-06T05:15:12.920", "references": [{"source": "report@snyk.io", "tags": ["Exploit", "Third Party Advisory"], "url": "https://gist.github.com/lirantal/c80b28e7bee148dc287339cb483e42bc"}, {"source": "report@snyk.io", "tags": ["Broken Link"], "url": "https://github.com/cloudhead/node-static/blob/master/lib/node-static.js%23L160-L163"}, {"source": "report@snyk.io", "tags": ["Exploit", "Third Party Advisory"], "url": "https://security.snyk.io/vuln/SNYK-JS-NODESTATIC-3149928"}, {"source": "report@snyk.io", "tags": ["Exploit", "Third Party Advisory"], "url": "https://security.snyk.io/vuln/SNYK-JS-NUBOSOFTWARENODESTATIC-3149927"}], "sourceIdentifier": "report@snyk.io", "vulnStatus": "Modified", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-22"}], "source": "nvd@nist.gov", "type": "Primary"}, {"description": [{"lang": "en", "value": "CWE-22"}], "source": "report@snyk.io", "type": "Secondary"}]}