Plattform
nodejs
Komponente
serve
Behoben in
6.4.9
CVE-2018-3712 is a directory traversal vulnerability affecting the serve npm package. This vulnerability allows attackers to list the contents of directories accessible to the user running the serve process. This impacts confidentiality, as sensitive directory structures can be exposed. This affects serve versions prior to 6.4.9. The vulnerability is fixed in version 6.4.9.
Successful exploitation of CVE-2018-3712 allows an attacker to list the contents of directories accessible to the user running the serve process. While the vulnerability does not permit arbitrary file reading, the ability to enumerate directory contents can reveal valuable information about the system's structure, configuration, and potentially sensitive files. This information can be used for reconnaissance purposes, aiding in further attacks or data exfiltration. The blast radius is limited to the directories accessible by the serve process user account.
CVE-2018-3712 was published on 2018-07-27. Its severity is rated as MEDIUM (CVSS 6.5). While no widespread exploitation campaigns are known, the vulnerability's ease of exploitation makes it a potential target. It is not currently listed on KEV or EPSS. Public proof-of-concept (POC) code may be available, increasing the risk of exploitation.
Exploit-Status
EPSS
0.68% (71% Perzentil)
CVSS-Vektor
The recommended mitigation for CVE-2018-3712 is to update to version 6.4.9 or later. If upgrading is not immediately feasible, consider restricting the directory served by serve to a minimal set of files. Implement input validation to sanitize user-provided paths, preventing the use of %2e and %2f characters. Configure a Web Application Firewall (WAF) to block requests containing these characters. After upgrading to version 6.4.9, verify the fix by attempting to access directories outside the intended serving directory using URL-encoded path traversal sequences.
Kein offizieller Patch verfügbar. Prüfe auf Workarounds oder überwache auf Updates.
Schwachstellenanalysen und kritische Warnungen direkt in deinen Posteingang.
It's a unique identifier for this security vulnerability in the serve software.
Primarily, the directory structure and filenames accessible to the serve process.
No, the vulnerability only allows listing directory contents, not reading individual files.
Limit the serve process's access to necessary directories and avoid running it with elevated privileges.
You can download version 6.4.9 or later from the official website or your operating system's package repository.
Lade deine Abhängigkeitsdatei hoch und erfahre sofort, ob dich diese und andere CVEs treffen.