GHSA-68gr-cmcp-g3mj – lactate

Package

Manager: npm
Name: lactate
Vulnerable Version: >=0 <=0.13.12

Severity

Level: High

CVSS v3.1: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N

EPSS: N/A pctlN/A

Details

Directory Traversal in lactate A crafted `GET` request can be leveraged to traverse the directory structure of a host using the lactate web server package, and request arbitrary files outside of the specified web root. This allows for a remote attacker to gain access to arbitrary files on the filesystem that the process has access to read. Mitigating factors: Only files that the user running `lactate` has permission to read will be accessible via this vulnerability. [Proof of concept](https://hackerone.com/reports/296645): Please globally install the `lactate` package and `cd` to a directory you wish to serve assets from. Next, run `lactate -p 8081` to start serving files from this location. The following cURL request can be used to demonstrate this vulnerability by requesting the target `/etc/passwd` file: ``` curl "http://127.0.0.1:8081/%2e%2e/%2e%2e/%2e%2e/%2e%2e/%2e%2e/etc/passwd" ``` ``` root:x:0:0:root:/root:/bin/bash daemon:x:1:1:daemon:/usr/sbin:/usr/sbin/nologin bin:x:2:2:bin:/bin:/usr/sbin/nologin sys:x:3:3:sys:/dev:/usr/sbin/nologin [...] ``` ## Recommendation As there is currently no fix for this issue selecting an alternative static web server would be the best choice.

Metadata

Created: 2019-06-14T16:39:31Z
Modified: 2021-08-16T23:34:10Z
Source: https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2019/06/GHSA-68gr-cmcp-g3mj/GHSA-68gr-cmcp-g3mj.json
CWE IDs: ["CWE-22"]
Alternative ID: N/A
Finding: F063
Auto approve: 1