A vulnerability was found in resolve-path up to 1.3.x on Node.js (JavaScript Library). It has been rated as critical. This issue affects an unknown part. The manipulation as part of a Special Char leads to a path traversal vulnerability. Using CWE to declare the problem leads to CWE-22. The software uses external input to construct a pathname that is intended to identify a file or directory that is located underneath a restricted parent directory, but the software does not properly neutralize special elements within the pathname that can cause the pathname to resolve to a location that is outside of the restricted directory. Impacted is confidentiality, and integrity. The summary by CVE is:

resolve-path node module before 1.4.0 suffers from a Path Traversal vulnerability due to lack of validation of paths with certain special characters, which allows a malicious user to read content of any file with known path.

The bug was discovered 03/08/2018. The weakness was presented 06/07/2018 (Website). The advisory is shared at github.com. The identification of this vulnerability is CVE-2018-3732 since 12/28/2017. The exploitation is known to be easy. The attack may be initiated remotely. No form of authentication is needed for a successful exploitation. Neither technical details nor an exploit are publicly available. MITRE ATT&CK project uses the attack technique T1006 for this issue.

The vulnerability was handled as a non-public zero-day exploit for at least 90 days. During that time the estimated underground price was around $0-$5k.

Upgrading to version 1.4.0 eliminates this vulnerability.

Productinfo

Type

• JavaScript Library

Name

• resolve-path

License

• open-source

CPE 2.3info

• 🔍
• 🔍
• 🔍

CPE 2.2info

• 🔍
• 🔍
• 🔍

CVSSv3info

CVSSv2info

Exploitinginfo

Threat Intelligenceinfo

Countermeasuresinfo

Timelineinfo

Sourcesinfo

Entryinfo

Discussion