GHSA-9c9v-w225-v5rg
Suggest an improvement- Source
- https://github.com/advisories/GHSA-9c9v-w225-v5rg
- Import Source
- https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2023/08/GHSA-9c9v-w225-v5rg/GHSA-9c9v-w225-v5rg.json
- JSON Data
- https://api.test.osv.dev/v1/vulns/GHSA-9c9v-w225-v5rg
- Aliases
- Published
- 2023-08-15T20:35:20Z
- Modified
- 2023-12-06T00:48:08.707393Z
- Severity
-
- 4.9 (Medium) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:N CVSS Calculator
- Summary
- Ghost vulnerable to arbitrary file read via symlinks in content import
- Details
-
Impact
A vulnerability in Ghost allows authenticated users to upload files which are symlinks. This can be exploited to perform an arbitrary file read of any file on the operating system.
Site administrators can check for exploitation of this issue by looking for unknown symlinks within Ghost's
content/folderVulnerable versions
This security vulnerability is present in Ghost ≤ v5.59.0.
Patches
v5.59.1 contains a fix for this issue.
For more information
If you have any questions or comments about this advisory: * Email us at security@ghost.org
- Database specific
{ "nvd_published_at": "2023-08-15T18:15:10Z", "cwe_ids": [ "CWE-22", "CWE-59" ], "severity": "MODERATE", "github_reviewed": true, "github_reviewed_at": "2023-08-15T20:35:20Z" }- References
Affected packages
npm / ghost
Package
- Name
- ghost
- View open source insights on deps.dev
- Purl
- pkg:npm/ghost