CVE-2024-43800

serve-static serves static files. serve-static passes untrusted user input - even after sanitizing it - to redirect() may execute untrusted code. This issue is patched in serve-static 1.16.0.
Configurations

Configuration 1 (hide)

OR cpe:2.3:a:openjsf:serve-static:*:*:*:*:*:node.js:*:*
cpe:2.3:a:openjsf:serve-static:*:*:*:*:*:node.js:*:*

History

20 Sep 2024, 17:36

Type Values Removed Values Added
References () https://github.com/expressjs/serve-static/commit/0c11fad159898cdc69fd9ab63269b72468ecaf6b - () https://github.com/expressjs/serve-static/commit/0c11fad159898cdc69fd9ab63269b72468ecaf6b - Patch
References () https://github.com/expressjs/serve-static/commit/ce730896fddce1588111d9ef6fdf20896de5c6fa - () https://github.com/expressjs/serve-static/commit/ce730896fddce1588111d9ef6fdf20896de5c6fa - Patch
References () https://github.com/expressjs/serve-static/security/advisories/GHSA-cm22-4g7w-348p - () https://github.com/expressjs/serve-static/security/advisories/GHSA-cm22-4g7w-348p - Vendor Advisory
CPE cpe:2.3:a:openjsf:serve-static:*:*:*:*:*:node.js:*:*
CVSS v2 : unknown
v3 : 5.0
v2 : unknown
v3 : 4.7
First Time Openjsf serve-static
Openjsf
Summary
  • (es) serve-static sirve archivos estáticos. serve-static pasa información de usuario no confiable (incluso después de sanearla) a redirect() y puede ejecutar código no confiable. Este problema se solucionó en serve-static 1.16.0.

10 Sep 2024, 15:15

Type Values Removed Values Added
New CVE

Information

Published : 2024-09-10 15:15

Updated : 2024-09-20 17:36


NVD link : CVE-2024-43800

Mitre link : CVE-2024-43800

CVE.ORG link : CVE-2024-43800


JSON object : View

Products Affected

openjsf

  • serve-static
CWE
CWE-79

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')