Vulnerabilities
Projects
Vulnerability Disclosure
About Us
Contact Us
Mend.io Vulnerability Database
What is a WS vulnerability ID?
What is an MSC vulnerability ID?
We found results for “”
CVE-2023-34238
Good to know:
Date: June 7, 2023
Gatsby is a free and open source framework based on React. The Gatsby framework prior to versions 4.25.7 and 5.9.1 contain a Local File Inclusion vulnerability in the "__file-code-frame" and "__original-stack-frame" paths, exposed when running the Gatsby develop server ("gatsby develop"). Any file in scope of the development server could potentially be exposed. It should be noted that by default "gatsby develop" is only accessible via the localhost "127.0.0.1", and one would need to intentionally expose the server to other interfaces to exploit this vulnerability by using server options such as "--host 0.0.0.0", "-H 0.0.0.0", or the "GATSBY_HOST=0.0.0.0" environment variable. A patch has been introduced in "gatsby@5.9.1" and "gatsby@4.25.7" which mitigates the issue. Users are advised to upgrade. Users unable to upgrade should avoid exposing their development server to the internet.
Language: JS
Severity Score
Related Resources (6)
Severity Score
Weakness Type (CWE)
Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')
CWE-22Insufficient Information
NVD-CWE-noinfoTop Fix
CVSS v3.1
| Base Score: |
|
|---|---|
| Attack Vector (AV): | NETWORK |
| Attack Complexity (AC): | LOW |
| Privileges Required (PR): | LOW |
| User Interaction (UI): | NONE |
| Scope (S): | UNCHANGED |
| Confidentiality (C): | LOW |
| Integrity (I): | NONE |
| Availability (A): | NONE |