Vulnerability Details CVE-2020-15779
A Path Traversal issue was discovered in the socket.io-file package through 2.0.31 for Node.js. The socket.io-file::createFile message uses path.join with ../ in the name option, and the uploadDir and rename options determine the path.
Exploit prediction scoring system (EPSS) score
EPSS Score 0.005
EPSS Ranking 63.2%
CVSS Severity
CVSS v3 Score 7.5
CVSS v2 Score 5.0
References
- https://github.com/advisories/GHSA-9h4g-27m8-qjrg
- https://github.com/rico345100/socket.io-file
- https://www.npmjs.com/advisories/1519
- https://www.npmjs.com/package/socket.io-file
- https://github.com/advisories/GHSA-9h4g-27m8-qjrg
- https://github.com/rico345100/socket.io-file
- https://www.npmjs.com/advisories/1519
- https://www.npmjs.com/package/socket.io-file
Products affected by CVE-2020-15779
-
cpe:2.3:a:socket.io-file_project:socket.io-file:1.0.0
-
cpe:2.3:a:socket.io-file_project:socket.io-file:1.0.1
-
cpe:2.3:a:socket.io-file_project:socket.io-file:1.0.11
-
cpe:2.3:a:socket.io-file_project:socket.io-file:1.0.12
-
cpe:2.3:a:socket.io-file_project:socket.io-file:1.0.13
-
cpe:2.3:a:socket.io-file_project:socket.io-file:1.0.2
-
cpe:2.3:a:socket.io-file_project:socket.io-file:1.0.21
-
cpe:2.3:a:socket.io-file_project:socket.io-file:1.0.3
-
cpe:2.3:a:socket.io-file_project:socket.io-file:1.0.31
-
cpe:2.3:a:socket.io-file_project:socket.io-file:1.0.32
-
cpe:2.3:a:socket.io-file_project:socket.io-file:1.0.4
-
cpe:2.3:a:socket.io-file_project:socket.io-file:1.0.41
-
cpe:2.3:a:socket.io-file_project:socket.io-file:1.0.5
-
cpe:2.3:a:socket.io-file_project:socket.io-file:1.0.51
-
cpe:2.3:a:socket.io-file_project:socket.io-file:1.0.52
-
cpe:2.3:a:socket.io-file_project:socket.io-file:1.0.53
-
cpe:2.3:a:socket.io-file_project:socket.io-file:1.0.54
-
cpe:2.3:a:socket.io-file_project:socket.io-file:1.0.55
-
cpe:2.3:a:socket.io-file_project:socket.io-file:1.0.56
-
cpe:2.3:a:socket.io-file_project:socket.io-file:1.0.57
-
cpe:2.3:a:socket.io-file_project:socket.io-file:1.0.58
-
cpe:2.3:a:socket.io-file_project:socket.io-file:1.0.59
-
cpe:2.3:a:socket.io-file_project:socket.io-file:2.0.0
-
cpe:2.3:a:socket.io-file_project:socket.io-file:2.0.1
-
cpe:2.3:a:socket.io-file_project:socket.io-file:2.0.12
-
cpe:2.3:a:socket.io-file_project:socket.io-file:2.0.13
-
cpe:2.3:a:socket.io-file_project:socket.io-file:2.0.14
-
cpe:2.3:a:socket.io-file_project:socket.io-file:2.0.15
-
cpe:2.3:a:socket.io-file_project:socket.io-file:2.0.2
-
cpe:2.3:a:socket.io-file_project:socket.io-file:2.0.3
-
cpe:2.3:a:socket.io-file_project:socket.io-file:2.0.31