Description
This affects all versions of package droppy. It is possible to traverse directories to fetch configuration files from a droopy server.
Remediation
References
https://github.com/silverwind/droppy/blob/master/server/server.js%23L845
https://snyk.io/vuln/SNYK-JS-DROPPY-1023656
Related Vulnerabilities
CVE-2017-16226 Vulnerability in npm package static-eval
CVE-2022-29647 Vulnerability in maven package net.mingsoft:ms-mcms
CVE-2020-2181 Vulnerability in maven package org.jenkins-ci.plugins:credentials-binding
CVE-2017-5662 Vulnerability in maven package org.eclipse.birt.runtime.3_7_1:org.apache.batik.dom
CVE-2023-36479 Vulnerability in maven package org.eclipse.jetty:jetty-servlets