CVE-2024-23340 - Vulnerability Details

Vendors	Products
Hono	Node-server

Link	Providers
https://github.com/honojs/node-server/blob/8cea466fd05e6d2e99c28011fc0e2c2d3f3397c9/src/request.ts#L43-L45
https://github.com/honojs/node-server/commit/dd9b9a9b23e3896403c90a740e7f1f0892feb402
https://github.com/honojs/node-server/security/advisories/GHSA-rjq5-w47x-x359

{"dataType": "CVE_RECORD", "dataVersion": "5.1", "cveMetadata": {"cveId": "CVE-2024-23340", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "state": "PUBLISHED", "assignerShortName": "GitHub_M", "dateReserved": "2024-01-15T15:19:19.444Z", "datePublished": "2024-01-22T23:00:34.510Z", "dateUpdated": "2024-08-01T22:59:32.309Z"}, "containers": {"cna": {"title": "@hono/node-server can't handle \"double dots\" in URL", "problemTypes": [{"descriptions": [{"cweId": "CWE-22", "lang": "en", "description": "CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 5.3, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N", "version": "3.1"}}], "references": [{"name": "https://github.com/honojs/node-server/security/advisories/GHSA-rjq5-w47x-x359", "tags": ["x_refsource_CONFIRM"], "url": "https://github.com/honojs/node-server/security/advisories/GHSA-rjq5-w47x-x359"}, {"name": "https://github.com/honojs/node-server/commit/dd9b9a9b23e3896403c90a740e7f1f0892feb402", "tags": ["x_refsource_MISC"], "url": "https://github.com/honojs/node-server/commit/dd9b9a9b23e3896403c90a740e7f1f0892feb402"}, {"name": "https://github.com/honojs/node-server/blob/8cea466fd05e6d2e99c28011fc0e2c2d3f3397c9/src/request.ts#L43-L45", "tags": ["x_refsource_MISC"], "url": "https://github.com/honojs/node-server/blob/8cea466fd05e6d2e99c28011fc0e2c2d3f3397c9/src/request.ts#L43-L45"}], "affected": [{"vendor": "honojs", "product": "node-server", "versions": [{"version": ">= 1.3.0, < 1.4.1", "status": "affected"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2024-01-22T23:00:34.510Z"}, "descriptions": [{"lang": "en", "value": "@hono/node-server is an adapter that allows users to run Hono applications on Node.js. Since v1.3.0, @hono/node-server has used its own Request object with `url` behavior that is unexpected. In the standard API, if the URL contains `..`, here called \"double dots\", the URL string returned by Request will be in the resolved path. However, the `url` in @hono/node-server's Request as does not resolve double dots, so `http://localhost/static/.. /foo.txt` is returned. This causes vulnerabilities when using `serveStatic`. Modern web browsers and a latest `curl` command resolve double dots on the client side, so this issue doesn't affect those using either of those tools. However, problems may occur if accessed by a client that does not resolve them. Version 1.4.1 includes the change to fix this issue. As a workaround, don't use `serveStatic`.\n\n"}], "source": {"advisory": "GHSA-rjq5-w47x-x359", "discovery": "UNKNOWN"}}, "adp": [{"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-01T22:59:32.309Z"}, "title": "CVE Program Container", "references": [{"name": "https://github.com/honojs/node-server/security/advisories/GHSA-rjq5-w47x-x359", "tags": ["x_refsource_CONFIRM", "x_transferred"], "url": "https://github.com/honojs/node-server/security/advisories/GHSA-rjq5-w47x-x359"}, {"name": "https://github.com/honojs/node-server/commit/dd9b9a9b23e3896403c90a740e7f1f0892feb402", "tags": ["x_refsource_MISC", "x_transferred"], "url": "https://github.com/honojs/node-server/commit/dd9b9a9b23e3896403c90a740e7f1f0892feb402"}, {"name": "https://github.com/honojs/node-server/blob/8cea466fd05e6d2e99c28011fc0e2c2d3f3397c9/src/request.ts#L43-L45", "tags": ["x_refsource_MISC", "x_transferred"], "url": "https://github.com/honojs/node-server/blob/8cea466fd05e6d2e99c28011fc0e2c2d3f3397c9/src/request.ts#L43-L45"}]}]}}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:hono:node-server:*:*:*:*:*:node.js:*:*", "matchCriteriaId": "050ADA00-CAFF-4B7D-AB88-92F4196D1289", "versionEndExcluding": "1.4.1", "versionStartIncluding": "1.3.0", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "descriptions": [{"lang": "en", "value": "@hono/node-server is an adapter that allows users to run Hono applications on Node.js. Since v1.3.0, @hono/node-server has used its own Request object with `url` behavior that is unexpected. In the standard API, if the URL contains `..`, here called \"double dots\", the URL string returned by Request will be in the resolved path. However, the `url` in @hono/node-server's Request as does not resolve double dots, so `http://localhost/static/.. /foo.txt` is returned. This causes vulnerabilities when using `serveStatic`. Modern web browsers and a latest `curl` command resolve double dots on the client side, so this issue doesn't affect those using either of those tools. However, problems may occur if accessed by a client that does not resolve them. Version 1.4.1 includes the change to fix this issue. As a workaround, don't use `serveStatic`.\n\n"}, {"lang": "es", "value": "@hono/node-server es un adaptador que permite a los usuarios ejecutar aplicaciones Hono en Node.js. Desde v1.3.0, @hono/node-server ha utilizado su propio objeto Request con un comportamiento de `url` inesperado. En la API est\u00e1ndar, si la URL contiene `..`, aqu\u00ed denominada \"puntos dobles\", la cadena de URL devuelta por la Solicitud estar\u00e1 en la ruta resuelta. Sin embargo, la `url` en la solicitud de @hono/node-server no resuelve los puntos dobles, por lo que se devuelve `http://localhost/static/.. /foo.txt`. Esto provoca vulnerabilidades al utilizar `serveStatic`. Los navegadores web modernos y el \u00faltimo comando `curl` resuelven los puntos dobles en el lado del cliente, por lo que este problema no afecta a quienes utilizan cualquiera de esas herramientas. Sin embargo, pueden ocurrir problemas si accede un cliente que no los resuelve. La versi\u00f3n 1.4.1 incluye el cambio para solucionar este problema. Como workaround, no utilice \"serveStatic\"."}], "id": "CVE-2024-23340", "lastModified": "2024-11-21T08:57:32.643", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 5.3, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 1.4, "source": "security-advisories@github.com", "type": "Secondary"}, {"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 5.3, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 1.4, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2024-01-22T23:15:08.637", "references": [{"source": "security-advisories@github.com", "tags": ["Product"], "url": "https://github.com/honojs/node-server/blob/8cea466fd05e6d2e99c28011fc0e2c2d3f3397c9/src/request.ts#L43-L45"}, {"source": "security-advisories@github.com", "tags": ["Patch"], "url": "https://github.com/honojs/node-server/commit/dd9b9a9b23e3896403c90a740e7f1f0892feb402"}, {"source": "security-advisories@github.com", "tags": ["Exploit", "Vendor Advisory"], "url": "https://github.com/honojs/node-server/security/advisories/GHSA-rjq5-w47x-x359"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Product"], "url": "https://github.com/honojs/node-server/blob/8cea466fd05e6d2e99c28011fc0e2c2d3f3397c9/src/request.ts#L43-L45"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Patch"], "url": "https://github.com/honojs/node-server/commit/dd9b9a9b23e3896403c90a740e7f1f0892feb402"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Exploit", "Vendor Advisory"], "url": "https://github.com/honojs/node-server/security/advisories/GHSA-rjq5-w47x-x359"}], "sourceIdentifier": "security-advisories@github.com", "vulnStatus": "Modified", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-22"}], "source": "security-advisories@github.com", "type": "Secondary"}]}

Metrics

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact Low

Integrity Impact None

Availability Impact None

User Interaction None

Affected Vendors & Products

Metrics

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact Low

Integrity Impact None

Availability Impact None

User Interaction None

Affected Vendors & Products

JSON object

JSON object

JSON object

JSON object