Miggo Logo

CVE-2017-16142: Directory Traversal in infraserver

7.5

CVSS Score
3.0

Basic Information

EPSS Score
0.67323%
Published
7/23/2018
Updated
9/13/2023
KEV Status
No
Technology
TechnologyJavaScript

Technical Details

CVSS Vector
CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
Package NameEcosystemVulnerable VersionsFirst Patched Version
infraservernpm<= 0.0.1

Vulnerability Intelligence
Miggo AIMiggo AI

Miggo AIRoot Cause Analysis

The vulnerability explicitly involves improper path resolution during HTTP request handling. The attack example demonstrates that raw user input (URL path segments like '/../../../../etc/passwd') is used to construct filesystem paths. This indicates the absence of: 1) path normalization to collapse '../' sequences, 2) validation against the intended root directory, and 3) security wrappers like express.static's safe defaults. While the exact implementation details of 'infraserver' are unavailable, the vulnerability pattern strongly implicates the core request-handling logic as the root cause.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

*****t** v*rsions o* `in*r*s*rv*r` r*solv* r*l*tiv* *il* p*t*s, r*sultin* in * *ir**tory tr*v*rs*l vuln*r**ility. * m*li*ious **tor **n us* t*is vuln*r**ility to ****ss *il*s outsi** o* t** int*n*** *ir**tory root, w*i** m*y r*sult in t** *is*losur*

Reasoning

T** vuln*r**ility *xpli*itly involv*s improp*r p*t* r*solution *urin* *TTP r*qu*st **n*lin*. T** *tt**k *x*mpl* **monstr*t*s t**t r*w us*r input (URL p*t* s**m*nts lik* '/../../../../*t*/p*ssw*') is us** to *onstru*t *il*syst*m p*t*s. T*is in*i**t*s