CVE-2017-16222 Information
Description
elding is a simple web server. elding is vulnerable to a directory traversal issue allowing an attacker to access the filesystem by placing ../\ in the url. The files accessible however are limited to files with a file extension. Sending a GET request to /../../../etc/passwd for example will return a 404 on etc/passwd/index.js.
CVSS Vector
CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
Reference
https://github.com/JacksonGL/NPM-Vuln-PoC/blob/master/directory-traversal/elding
https://nodesecurity.io/advisories/415
elding
is
a
simple
web
server.
elding
is
vulnerable
to
a
directory
traversal
issue
allowing
an
attacker
to
access
the
filesystem
by
placing
../
in
the
url.
The
files
accessible
however
are
limited
to
files
with
a
file
extension.
Sending
a
GET
request
to
/../../../etc/passwd
for
example
will
return
a
404
on
etc/passwd/index.js.
Attack Complexity
LOW
Privileges Required
NONE
User Interaction Required
NONE
Scope
NONE
Confidentiality Impact
UNCHANGED
Integrity Impact
LOW
Availability Impact
NONE
Base Score
NONE
Base Severity
5.3
Share on: