6.5
CVE-2023-38695
- EPSS 0.8%
- Veröffentlicht 04.08.2023 18:15:14
- Zuletzt bearbeitet 21.11.2024 08:14:04
- Quelle security-advisories@github.com
- CVE-Watchlists
- Unerledigt
Logincypress-image-snapshot vulnerable to insecure snapshot file names
cypress-image-snapshot shows visual regressions in Cypress with jest-image-snapshot. Prior to version 8.0.2, it's possible for a user to pass a relative file path for the snapshot name and reach outside of the project directory into the machine running the test. This issue has been patched in version 8.0.2.
Daten sind bereitgestellt durch National Vulnerability Database (NVD)
Simonsmith ≫ Cypress Image Snapshot SwPlatformnode.js Version < 8.0.2
| Typ | Quelle | Score | Percentile |
|---|---|---|---|
| EPSS | FIRST.org | 0.8% | 0.516 |
| Quelle | Base Score | Exploit Score | Impact Score | Vector String |
|---|---|---|---|---|
| nvd@nist.gov | 6.5 | 2.8 | 3.6 |
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N
|
| security-advisories@github.com | 6.5 | 2.8 | 3.6 |
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N
|
CWE-22 Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')
The product uses external input to construct a pathname that is intended to identify a file or directory that is located underneath a restricted parent directory, but the product does not properly neutralize special elements within the pathname that can cause the pathname to resolve to a location that is outside of the restricted directory.
https://github.com/simonsmith/cypress-image-snapshot/commit/ef49519795daf5183f4fac6f3136e194f20f39f4
https://github.com/simonsmith/cypress-image-snapshot/issues/15
https://github.com/simonsmith/cypress-image-snapshot/releases/tag/8.0.2
https://github.com/simonsmith/cypress-image-snapshot/security/advisories/GHSA-vxjg-hchx-cc4g