Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

CVE-2024-46503 severity question #120

Open
darakian opened this issue Oct 1, 2024 · 0 comments
Open

CVE-2024-46503 severity question #120

darakian opened this issue Oct 1, 2024 · 0 comments

Comments

@darakian
Copy link

darakian commented Oct 1, 2024
edited
Loading

Hey all, similar to #97 I'm curious to know how you arrived at a high severity for
https://nvd.nist.gov/vuln/detail/CVE-2024-46503

The poc's listed read as

// Vuln: path-traversal
let pkg = require("simple-spellchecker");

const filename = "/etc/passwd"; 

let fileLines = pkg._readFileSync(filename).wordlist;

console.log(fileLines.join("\n"))

https://gist.github.com/guilherme-goncalves793/9c3125c6c8e33e0d9216847118137c63

and

// Vuln: path-traversal

let pkg = require("simple-spellchecker");

const filename = "/etc/passwd"; 

pkg._readFile(filename,function(err,result){
    // the package returns a dictionary in which the contents are in the wordlist array
    let fileLines = result.wordlist;

    // The package uses split.('\n') to create the array. Reconstruct it back 
    console.log(fileLines.join("\n"))
});

https://gist.github.com/guilherme-goncalves793/30d62c12fffd18d4058f4aebe188f462

Inspecting the source for the project on npm or on github we can see the functions in question

    _readFile: function(file_path, callback) {
        fs.readFile(file_path, 'utf8', function(err, text) {
            // Check for errors.
            if (!err) {
                // Create dictionary and return it.
                var dictionary = new Dictionary(text.split('\n'));
                callback(null, dictionary);
            } else {
                // Return an error.
                callback("The dictionary file could not be read: " + err, null);
            }
        });
    },

and _readFileSync

    _readFileSync: function(file_path) {
        try {
            var text = fs.readFileSync(file_path, 'utf8')
            // Create dictionary and return it.
            var dictionary = new Dictionary(text.split('\n'));
            return dictionary;
        } catch(err) {
            // Return an error.
            throw new Error("The dictionary file could not be read: " + file_path + ". Error: " + err);
        }
    },

Do indeed read a file based on a path passed to it. This seems like intended usage to me so could you elaborate on how you arrived at a high severity rating?
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
1 participant
@darakian