CVE-2022-24718: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')

March 1, 2022 (updated March 2, 2022)

ssr-pages is an HTML page builder for the purpose of server-side rendering (SSR). In versions prior to 0.1.4, a path traversal issue can occur when providing untrusted input to the svg property as an argument to the build(MessagePageOptions) function. While there is no known workaround at this time, there is a patch in version 0.1.4.

References

github.com/Finastra/ssr-pages/pull/1
github.com/Finastra/ssr-pages/pull/1/commits/c3e4c563384ae3ba3892f37dd190218577620780
github.com/Finastra/ssr-pages/security/advisories/GHSA-w6cx-qg2q-rvq8
github.com/advisories/GHSA-w6cx-qg2q-rvq8
nvd.nist.gov/vuln/detail/CVE-2022-24718

Detect and mitigate CVE-2022-24718 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →