CVE-2017-18355

CWE-200Information Exposure4 documents4 sources
Severity
7.5HIGH
EPSS
0.3%
top 50.70%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
1
Google Rendertron
Timeline
PublishedDec 17
Latest updateFeb 12

Description

Installed packages are exposed by node_modules in Rendertron 1.0.0, allowing remote attackers to read absolute paths on the server by examining the "_where" attribute of package.json files.

CVSS vector

CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:NExploitability: 3.9 | Impact: 3.6

Affected Packages2 packages

npmrendertron< 1.1.0

Patches

Patch: github.comPatch: github.comPatch: github.com

🔴Vulnerability Details

3
GHSA
Rendertron discloses absolute paths of files2019-02-12
OSV
Rendertron discloses absolute paths of files2019-02-12
CVEList
CVE-2017-18355: Installed packages are exposed by node_modules in Rendertron 12018-12-17
CVE-2017-18355 (HIGH CVSS 7.5) | Installed packages are exposed by n | cvebase.io