Miggo Logo
Book a Demo
Miggo Vulnerability Database
CVE-2018-3715

CVE-2018-3715:
Path Traversal in glance

6.5

CVSS Score

Basic Information

CVE ID
CVE-2018-3715
GHSA ID
GHSA-2x4q-6jfv-8h9h
EPSS Score
-
CWE
CWE-22
Published
7/26/2018
Updated
1/31/2023
KEV Status
No
Technology
TechnologyJavaScript

Technical Details

CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N
Package NameEcosystemVulnerable VersionsFirst Patched Version
glancenpm< 3.0.43.0.4

Vulnerability Intelligence
Miggo AIMiggo AI

Miggo AIRoot Cause Analysis

The key evidence comes from the commit diff showing the vulnerability was fixed by adding a path validation check in serveRequest. The added code explicitly checks if request.fullPath starts with the configured directory (self.dir), which was missing in vulnerable versions. This function handles core request processing and path resolution, making it the logical point where path traversal would occur when unvalidated. The direct correlation between the vulnerability description (lack of path validation) and the patched code confirms this as the vulnerable function.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

V*rsions o* `*l*n**` ***or* *.*.* *r* vuln*r**l* to * P*t* Tr*v*rs*l vuln*r**ility *u* to l**k o* v*li**tion o* p*t* p*ss** to it, w*i** *llows * m*li*ious us*r to r*** *ont*nt o* *ny *il* wit* known p*t*. ## R**omm*n**tion Up**t* to v*rsion *.*.*

Reasoning

T** k*y *vi**n** *om*s *rom t** *ommit *i** s*owin* t** vuln*r**ility w*s *ix** *y ***in* * p*t* v*li**tion ****k in s*rv*R*qu*st. T** ***** *o** *xpli*itly ****ks i* r*qu*st.*ullP*t* st*rts wit* t** *on*i*ur** *ir**tory (s*l*.*ir), w*i** w*s missin*