Description
@uppy/companion prior to version 3.3.1 is vulnerable to incorrect authorization. A user with URL upload access could enumerate internal companion server networks, send local webservers files to the destination server, and finally download them If each of these files had a guessable and regular name.
Recommendation
Update the @uppy/companion package to the latest compatible version. Followings are version details:
- Affected version(s): < 3.3.1
- Patched version(s): 3.3.1
References
- GHSA-q24h-5rq3-63j9
- huntr.dev
- CVE-2022-0528
- CWE-200
- CWE-863
- CWE-918
- CAPEC-310
- OWASP 2021-A1
- OWASP 2021-A10
- OWASP 2021-A6
Related Issues
- uppy's companion module is vulnerable to Server-Side Request Forgery (SSRF) - CVE-2022-0086
- Incorrect Authorization in cross-fetch - CVE-2022-1365
- uppy's companion module is vulnerable to Server-Side Request Forgery (SSRF) (GHSA-x8rq-rc7x-5fg5) - CVE-2022-0086
- Server-Side Request Forgery in @uppy/companion (GHSA-mm7r-265w-jv6f) - CVE-2020-8135
- Tags:
- npm
- @uppy/companion
Anything's wrong? Let us know Last updated on June 27, 2023