CVE-2016-10561 – bitty

Package

Manager: npm
Name: bitty
Vulnerable Version: >=0 <=0.2.10

Severity

Level: Medium

CVSS v3.1: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N/E:P/RL:O/RC:C

CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N

EPSS: 0.00353 pctl0.56957

Details

Directory Traversal in bitty Affected versions of `bitty` are vulnerable to directory traversal via the URL path in GET requests. ## Recommendation The `bitty` package is not currently maintained, and has not seen an update since 2015. At this time, the best available mitigation is to use an alternative module that is actively maintained and provides similar functionality, such as [serve](https://www.npmjs.com/package/serve).

Metadata

Created: 2019-02-18T23:38:29Z
Modified: 2021-01-08T21:04:46Z
Source: https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2019/02/GHSA-f5mh-hq6h-whxv/GHSA-f5mh-hq6h-whxv.json
CWE IDs: ["CWE-22"]
Alternative ID: GHSA-f5mh-hq6h-whxv
Finding: F063
Auto approve: 1