Description

Node.js version 8.5.0 included a change which caused a security vulnerability in the checks on paths made by some community modules. As a result, an attacker may be able to access file system paths other than those intended.

Version 8.5.0 of Node.js is vulnerable. 4.x and 6.x versions are NOT vulnerable.

Remediation

Upgrade to the latest version of Node.js. This vulnerability was fixed with the patch from September 2017.

References

Path validation vulnerability, September 2017

Related Vulnerabilities

Nexus Repository Manager Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') Vulnerability (CVE-2021-30635)

Pulse Secure SSL VPN Arbitrary File reading (CVE-2019-11510)

Joomla! Core 3.9.x Directory Traversal (3.9.3 - 3.9.5)

WordPress Plugin All-In-One Security (AIOS)-Security and Firewall Directory Traversal (5.1.4)

JIRA Security Advisory 2014-02-26

Severity

High

Classification

CVE-2017-14849 CWE-22 CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N

Tags

Directory Traversal