GHSA-cfqx-f43m-vfh7: @saltcorn/server arbitrary file and directory listing when accessing build mobile app results

October 3, 2024

A user with admin permission can read arbitrary file and directory names on the filesystem by calling the admin/build-mobile-app/result?build_dir_name= endpoint. The build_dir_name parameter is not properly validated and it’s then used to construct the buildDir that is read. The file/directory names under the buildDir will be returned.

References

github.com/advisories/GHSA-cfqx-f43m-vfh7
github.com/saltcorn/saltcorn
github.com/saltcorn/saltcorn/blob/v1.0.0-beta.13/packages/server/routes/admin.js
github.com/saltcorn/saltcorn/commit/81adaf78430a9b59804894574d67d2a0c7bb3dc5
github.com/saltcorn/saltcorn/security/advisories/GHSA-cfqx-f43m-vfh7

Detect and mitigate GHSA-cfqx-f43m-vfh7 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →