CVE-2024-23340

{"id": "CVE-2024-23340", "cveTags": [], "metrics": {"cvssMetricV31": [{"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 5.3, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N", "integrityImpact": "NONE", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "NONE", "confidentialityImpact": "LOW"}, "impactScore": 1.4, "exploitabilityScore": 3.9}, {"type": "Secondary", "source": "security-advisories@github.com", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 5.3, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N", "integrityImpact": "NONE", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "NONE", "confidentialityImpact": "LOW"}, "impactScore": 1.4, "exploitabilityScore": 3.9}]}, "published": "2024-01-22T23:15:08.637", "references": [{"url": "https://github.com/honojs/node-server/blob/8cea466fd05e6d2e99c28011fc0e2c2d3f3397c9/src/request.ts#L43-L45", "tags": ["Product"], "source": "security-advisories@github.com"}, {"url": "https://github.com/honojs/node-server/commit/dd9b9a9b23e3896403c90a740e7f1f0892feb402", "tags": ["Patch"], "source": "security-advisories@github.com"}, {"url": "https://github.com/honojs/node-server/security/advisories/GHSA-rjq5-w47x-x359", "tags": ["Exploit", "Vendor Advisory"], "source": "security-advisories@github.com"}], "vulnStatus": "Analyzed", "weaknesses": [{"type": "Primary", "source": "security-advisories@github.com", "description": [{"lang": "en", "value": "CWE-22"}]}], "descriptions": [{"lang": "en", "value": "@hono/node-server is an adapter that allows users to run Hono applications on Node.js. Since v1.3.0, @hono/node-server has used its own Request object with `url` behavior that is unexpected. In the standard API, if the URL contains `..`, here called \"double dots\", the URL string returned by Request will be in the resolved path. However, the `url` in @hono/node-server's Request as does not resolve double dots, so `http://localhost/static/.. /foo.txt` is returned. This causes vulnerabilities when using `serveStatic`. Modern web browsers and a latest `curl` command resolve double dots on the client side, so this issue doesn't affect those using either of those tools. However, problems may occur if accessed by a client that does not resolve them. Version 1.4.1 includes the change to fix this issue. As a workaround, don't use `serveStatic`.\n\n"}, {"lang": "es", "value": "@hono/node-server es un adaptador que permite a los usuarios ejecutar aplicaciones Hono en Node.js. Desde v1.3.0, @hono/node-server ha utilizado su propio objeto Request con un comportamiento de `url` inesperado. En la API est\u00e1ndar, si la URL contiene `..`, aqu\u00ed denominada \"puntos dobles\", la cadena de URL devuelta por la Solicitud estar\u00e1 en la ruta resuelta. Sin embargo, la `url` en la solicitud de @hono/node-server no resuelve los puntos dobles, por lo que se devuelve `http://localhost/static/.. /foo.txt`. Esto provoca vulnerabilidades al utilizar `serveStatic`. Los navegadores web modernos y el \u00faltimo comando `curl` resuelven los puntos dobles en el lado del cliente, por lo que este problema no afecta a quienes utilizan cualquiera de esas herramientas. Sin embargo, pueden ocurrir problemas si accede un cliente que no los resuelve. La versi\u00f3n 1.4.1 incluye el cambio para solucionar este problema. Como workaround, no utilice \"serveStatic\"."}], "lastModified": "2024-01-30T14:30:38.267", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:a:hono:node-server:*:*:*:*:*:node.js:*:*", "vulnerable": true, "matchCriteriaId": "050ADA00-CAFF-4B7D-AB88-92F4196D1289", "versionEndExcluding": "1.4.1", "versionStartIncluding": "1.3.0"}], "operator": "OR"}]}], "sourceIdentifier": "security-advisories@github.com"}