Description
Serverless Offline 8.0.0 returns a 403 HTTP status code for a route that has a trailing / character, which might cause a developer to implement incorrect access control, because the actual behavior within the Amazon AWS environment is a 200 HTTP status code (i.e., possibly greater than expected permissions).
Recommendation
No fix is available yet. Followings are affected versions:
- <= 8.0.0
References
Related Issues
- Incorrect Authorization in cross-fetch - CVE-2022-1365
- Incorrect Authorization in @uppy/companion - CVE-2022-0528
- Incorrect sanitisation function leads to `XSS` in mermaid - CVE-2021-43861
- Command Injection in lodash (GHSA-35jh-r3h4-6jhm) - CVE-2021-23337
- Tags:
- npm
- serverless-offline
Anything's wrong? Let us know Last updated on September 05, 2023