Miggo Logo

CVE-2018-3809: Information Exposure on Case Insensitive File Systems in serve

5.3

CVSS Score
3.0

Basic Information

EPSS Score
0.44873%
Published
7/18/2018
Updated
1/9/2023
KEV Status
No
Technology
TechnologyJavaScript

Technical Details

CVSS Vector
CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
Package NameEcosystemVulnerable VersionsFirst Patched Version
servenpm< 7.0.07.0.0

Vulnerability Intelligence
Miggo AIMiggo AI

Miggo AIRoot Cause Analysis

The vulnerability stemmed from case-sensitive handling of ignored files. The security patch removed the core request handling logic in lib/server.js and directory rendering in lib/render.js, replacing them with serve-handler which properly handles case insensitivity. The removed serverHandler function contained the vulnerable ignore check using 'ignoredFiles.every(item => !decodeURIComponent(pathname).includes(item))' which performed case-sensitive matching. The renderDirectory function in render.js generated directory listings without case normalization, potentially exposing ignored files through case variations on case-insensitive filesystems.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

V*rsions o* `s*rv*` ***or* *.*.* *r* vuln*r**l* to in*orm*tion *xposur*, *yp*ssin* t** i*nor* s**urity *ontrol, *ut only on **s* ins*nsitiv* *il* syst*ms. ## R**omm*n**tion Up**t* to v*rsion *.*.* or l*t*r.

Reasoning

T** vuln*r**ility st*mm** *rom **s*-s*nsitiv* **n*lin* o* i*nor** *il*s. T** s**urity p*t** r*mov** t** *or* r*qu*st **n*lin* lo*i* in `li*/s*rv*r.js` *n* *ir**tory r*n**rin* in `li*/r*n**r.js`, r*pl**in* t**m wit* `s*rv*-**n*l*r` w*i** prop*rly **n*