CVE-2024-37162 – zsa

Package

Manager: npm
Name: zsa
Vulnerable Version: >=0 <0.3.3

Severity

Level: Medium

CVSS v3.1: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N

CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N

EPSS: 0.00236 pctl0.4657

Details

Generation of Error Message Containing Sensitive Information in zsa ### Impact All users are impacted. The zsa application transfers the parse error stack from the server to the client in production build mode. This can potentially reveal sensitive information about the server environment, such as the machine username and directory paths. An attacker could exploit this vulnerability to gain unauthorized access to sensitive server information. This information could be used to plan further attacks or gain a deeper understanding of the server infrastructure. ### Patches Yes, this has been pathed on `0.3.3` ### Workarounds No way to fix other than the patch.

Metadata

Created: 2024-06-06T22:58:46Z
Modified: 2024-10-31T22:24:07Z
Source: https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2024/06/GHSA-wjmj-h3xc-hxp8/GHSA-wjmj-h3xc-hxp8.json
CWE IDs: ["CWE-209"]
Alternative ID: GHSA-wjmj-h3xc-hxp8
Finding: F037
Auto approve: 1