Description

This affects all versions of package droppy. It is possible to traverse directories to fetch configuration files from a droopy server.

Remediation

References

https://github.com/silverwind/droppy/blob/master/server/server.js%23L845

https://snyk.io/vuln/SNYK-JS-DROPPY-1023656

Related Vulnerabilities

CVE-2018-3713 Vulnerability in npm package angular-http-server

CVE-2022-31018 Vulnerability in maven package com.typesafe.play:play_2.13

CVE-2012-0394 Vulnerability in maven package org.apache.struts.xwork:xwork-core

CVE-2020-16040 Vulnerability in maven package org.webjars.npm:electron

CVE-2021-21414 Vulnerability in npm package sdk

Severity

Critical

Classification

CWE-22

Tags

Broken Link Third Party Advisory Exploit