CVE-2020-36629 — SimbCo httpster vulnerable to Path Traversal

Description

A vulnerability classified as critical was found in SimbCo httpster. This vulnerability affects the function fs.realpathSync of the file src/server.coffee. The manipulation leads to path traversal. The exploit has been disclosed to the public and may be used. The name of the patch is d3055b3e30b40b65d30c5a06d6e053dffa7f35d0. It is recommended to apply a patch to fix this issue. The identifier of this vulnerability is VDB-216748.

How to fix CVE-2020-36629

To remediate CVE-2020-36629, upgrade the affected package to a fixed version below.

—upgrade to 1.1.0 or later

Is CVE-2020-36629 being exploited?

Low — EPSS is 0.5%, meaning exploitation activity has not been observed at scale.

Affected packages (1)

from 0, < 1.1.0

CVSS scores

Source	Version	Severity	Vector
osv	CVSS 3.1	HIGH7.5	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

References (5)

ADVISORYnvd.nist.gov/vuln/detail/CVE-2020-36629
PATCHgithub.com/SimbCo/httpster
WEBgithub.com/SimbCo/httpster/commit/d3055b3e30b40b65d30c5a06d6e053dffa7f35d0
WEBgithub.com/SimbCo/httpster/pull/36
WEB