Description

This affects all versions of package droppy. It is possible to traverse directories to fetch configuration files from a droopy server.

Remediation

References

https://github.com/silverwind/droppy/blob/master/server/server.js%23L845

https://snyk.io/vuln/SNYK-JS-DROPPY-1023656

Related Vulnerabilities

CVE-2019-10460 Vulnerability in maven package org.jenkins-ci.plugins:bitbucket-oauth

CVE-2019-10802 Vulnerability in npm package giting

CVE-2022-45693 Vulnerability in maven package org.codehaus.jettison:jettison

CVE-2019-8331 Vulnerability in maven package org.webjars.bower:bootstrap

CVE-2016-10531 Vulnerability in maven package org.webjars.bower:marked

Severity

Critical

Classification

CWE-22

Tags

Broken Link Third Party Advisory Exploit