Path traversal in bin-links - #VU23919
Published: January 3, 2020
Vulnerability identifier: #VU23919
CSH Severity: Low
CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:A/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear
CVE-ID: N/A
CWE-ID: CWE-22
Exploitation vector: Remote access
Exploit availability:
No public exploit available
Vendor: isaacs
Affected software:
bin-links
bin-links
Detailed vulnerability description
The vulnerability allows a remote attacker to perform directory traversal attacks.
The vulnerability exists due to input validation error when processing directory traversal sequences, which allows attackers to create arbitrary files in the system outside of the intended node_modules folder through the bin field.
Remediation
Update to version 1.1.5.