Vulmon Recent Vulnerabilities Research Posts Trends Blog About Contact
7.5
CVSSv3

CVE-2017-14849

Published: 28/09/2017 Updated: 03/10/2019
CVSS v2 Base Score: 5 | Impact Score: 2.9 | Exploitability Score: 10
CVSS v3 Base Score: 7.5 | Impact Score: 3.6 | Exploitability Score: 3.9
VMScore: 447
Vector: AV:N/AC:L/Au:N/C:P/I:N/A:N
Subscribe to Nodejs

Vulnerability Summary

Node.js 8.5.0 prior to 8.6.0 allows remote malicious users to access unintended files, because a change to ".." handling was incompatible with the pathname validation used by unspecified community modules.

Vulnerability Trend

Vulnerable Product Search on Vulmon Subscribe to Product

nodejs node.js 8.5.0

Github Repositories

https://github.com/snyk-labs/container-breaking-in-goof

Docker goof version of breaking into a container

Goof - Snyk's application demo for breaking into containers Purpose of this repository is to demonstrate a Nodejs web application that is packaged as a container, and shows container-level vulnerabilities that result in breaking into the container Vulnerabilities and exploitation is: The vanilla Nodejs base image node:610-wheezy ships with a vulnerable image of Image

https://github.com/snyk-labs/goof-container-breaking-in

Docker goof version of breaking into a container

Goof - Snyk's application demo for breaking into containers Purpose of this repository is to demonstrate a Nodejs web application that is packaged as a container, and shows container-level vulnerabilities that result in breaking into the container Vulnerabilities and exploitation is: The vanilla Nodejs base image node:610-wheezy ships with a vulnerable image of Image

https://github.com/anthager/TDA602-DIT101-NodeExploit

Node js 8.5 exploit

Demonstration of CVE-2017-14849 This exploit lets any user allowed to GET a static file from an express server running express-4152 and node v85 read any file the user running the webserver has access to on the host system Conveniently express shipped an exploitable example in the source Prerequisites Docker Try it out Build the image: docker build -t exploit Start the

https://github.com/junwonheo/junwonheo.github.io

Nodejs 디렉터리 탐색 취약점(CVE-2017-14849) 취약점 개요 Node js 850에서는 파일 경로 정규화(Path Normalization) 취약점이 있습니다 상위 레이어(예: //////etc/passwd)로 이동하는 중에 바르지 못한 폴더가 있는 경우 (예: ///foo////etc/passwd) 오류가 발생해야 하지만 파일 경로 정규화(Pa

https://github.com/snyk/goof-container-breaking-in

Docker goof version of breaking into a container

Goof - Snyk's application demo for breaking into containers Purpose of this repository is to demonstrate a Nodejs web application that is packaged as a container, and shows container-level vulnerabilities that result in breaking into the container Vulnerabilities and exploitation is: The vanilla Nodejs base image node:610-wheezy ships with a vulnerable image of Image

https://github.com/JoyChou93/sks

Security Knowledge Structure(安全知识汇总)

Security Knowledge Structure 欢迎大家提交ISSUE和Pull Requests。 1 企业安全 11 黑盒扫描 静态xss检测 对AWVS一次简单分析 初见Chrome Headless Browser 用phantomJS检测URL重定向 用SlimerJS检测Flash XSS 12 白盒扫描器 Cobra 13 WAF自建 如何建立云WAF 如何建立HTTPS的云WAF ngx_lua_waf VeryNginx lua-resty-waf 14 堡垒机 ju

References

CWE-22https://twitter.com/nodejs/status/913131152868876288https://nodejs.org/en/blog/vulnerability/september-2017-path-validation/http://www.securityfocus.com/bid/101056https://nvd.nist.govhttps://github.com/snyk-labs/container-breaking-in-goof
CVSSv3
CVSSv2
CVSSv3
VMScore
Recommendations:
CVE-2022-38028CVE-2024-32406CVE-2024-25624IMAPCVE-2024-2310CVE-2024-0874CVE-2024-20359XXEremote code execution
Vulnerability Notification Service
You don’t have to wait for vulnerability scanning results
Get Started

Vulmon Search

Vulmon Search is a vulnerability search engine. It gives comprehensive vulnerability information through a very simple user interface.

About

Home Recent Vulnerabilities Research Posts Trends Blog About Contact

Products

Vulmon Search Vulmon Research Vulmon Alerts Vulmap

Connect

Twitter Reddit Linkedin Facebook