CVE-2018-3712: Directory Traversal

June 6, 2018 (updated October 9, 2019)

serve does not properly handle %2e (.) and %2f (/) and allows these characters to be used in paths, which can be used to traverse the directory tree up and lists content of any directory the user running the process has access to. Mitigating factors: This vulnerability only allows listing of directory contents and does not allow reading of arbitrary files.

References

hackerone.com/reports/307666

Detect and mitigate CVE-2018-3712 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →