CVE-2015-1164

EUVD-2020-0610
Open redirect vulnerability in the serve-static plugin before 1.7.2 for Node.js, when mounted at the root, allows remote attackers to redirect users to arbitrary web sites and conduct phishing attacks via a // (slash slash) followed by a domain in the PATH_INFO to the default URI.
ProviderTypeBase ScoreAtk. VectorAtk. ComplexityPriv. RequiredVector
NISTPrimary
4.3 UNKNOWN
NETWORK
MEDIUM
AV:N/AC:M/Au:N/C:N/I:P/A:N
Base Score
CVSS 3.x
EPSS Score
Percentile: 52%
Affected Products (NVD)
VendorProductVersion
serve-static_projectserve-static
𝑥
≤ 1.7.1
𝑥
= Vulnerable software versions
Debian logo
Debian Releases
Debian Product
Codename
node-serve-static
bookworm
1.15.0+~1.15.0-1
fixed
bullseye
1.14.1-3
fixed
sid
2.1.0+~1.15.7-2
fixed
trixie
2.1.0+~1.15.7-2
fixed
Ubuntu logo
Ubuntu Releases
Ubuntu Product
Codename
node-serve-static
artful
ignored
bionic
not-affected
lucid
dne
precise
dne
trusty
dne
utopic
ignored
vivid
ignored
wily
ignored
xenial
not-affected
yakkety
ignored
zesty
ignored
References
http://nodesecurity.io/advisories/serve-static-open-redirect
http://www.securityfocus.com/bid/72064
https://bugzilla.redhat.com/show_bug.cgi?id=1181917
https://exchange.xforce.ibmcloud.com/vulnerabilities/99936
https://github.com/expressjs/serve-static/issues/26
http://nodesecurity.io/advisories/serve-static-open-redirect
http://www.securityfocus.com/bid/72064
https://bugzilla.redhat.com/show_bug.cgi?id=1181917
https://exchange.xforce.ibmcloud.com/vulnerabilities/99936
https://github.com/expressjs/serve-static/issues/26