{ "schema_version": "1.4.0", "id": "GHSA-g7j3-p357-cw8p", "modified": "2023-09-13T20:24:14Z", "published": "2018-07-24T16:29:12Z", "aliases": [ "CVE-2017-16038" ], "summary": "Directory Traversal in f2e-server", "details": "Affected versions of `f2e-server` resolve relative file paths, resulting in a directory traversal vulnerability. A malicious actor can use this vulnerability to access files outside of the intended directory root, which may result in the disclosure of private files on the vulnerable system.\n\n**Example request:**\n```http\nGET /../../../../../../../../../../etc/passwd HTTP/1.1\nhost:foo\n```\n\n\n## Recommendation\n\nUpdate to version 1.12.12 or later.", "severity": [ { "type": "CVSS_V3", "score": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N" } ], "affected": [ { "package": { "ecosystem": "npm", "name": "f2e-server" }, "ranges": [ { "type": "ECOSYSTEM", "events": [ { "introduced": "0" }, { "fixed": "1.12.12" } ] } ], "database_specific": { "last_known_affected_version_range": "<= 1.12.11" } } ], "references": [ { "type": "ADVISORY", "url": "https://nvd.nist.gov/vuln/detail/CVE-2017-16038" }, { "type": "WEB", "url": "https://github.com/shy2850/node-server/issues/10" }, { "type": "WEB", "url": "https://github.com/shy2850/node-server/pull/12/files" }, { "type": "ADVISORY", "url": "https://github.com/advisories/GHSA-g7j3-p357-cw8p" }, { "type": "PACKAGE", "url": "https://github.com/shy2850/node-server" }, { "type": "WEB", "url": "https://www.npmjs.com/advisories/346" } ], "database_specific": { "cwe_ids": [ "CWE-22" ], "severity": "HIGH", "github_reviewed": true, "github_reviewed_at": "2020-06-16T21:36:17Z", "nvd_published_at": null } }