Main Vulnerability Database Vulnerabilities #VU18439

UNIX symbolic link following in Harp - CVE-2019-5438

Published: May 14, 2019

Vulnerability identifier: #VU18439

CSH Severity: Low

CVSS v4.0: CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear

CVE-ID: CVE-2019-5438

CWE-ID: CWE-61

Exploitation vector: Local access

Exploit availability: No public exploit available

Vendor: npm Inc.

Affected software:
Harp

Detailed vulnerability description

The vulnerability allows a local user to gain access to sensitive data.

The vulnerability exists due to a symlink following issue when processing path traversal characters. A local user can create a specially crafted symbolic link to get access to files outside project directory.

Successful exploitation of this vulnerability allows to list any file in another folder of web root.

How to mitigate CVE-2019-5438

Install updates from vendor's website.

Sources

https://hackerone.com/reports/530289

UNIX symbolic link following in Harp - CVE-2019-5438

Detailed vulnerability description

How to mitigate CVE-2019-5438

Sources

Please verify you're human