CVE-2023-3348 (GCVE-0-2023-3348)
Vulnerability from cvelistv5
Published
2023-08-03 13:47
Modified
2024-10-09 20:34
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- CWE-22 - Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')
Summary
The Wrangler command line tool (<=wrangler@3.1.0 or <=wrangler@2.20.1) was affected by a directory traversal vulnerability when running a local development server for Pages (wrangler pages dev command). This vulnerability enabled an attacker in the same network as the victim to connect to the local development server and access the victim's files present outside of the directory for the development server.
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Cloudflare | Wrangler |
Version: 3 ≤ Version: 2 ≤ |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-02T06:55:03.253Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"vendor-advisory",
"x_transferred"
],
"url": "https://github.com/cloudflare/workers-sdk/security/advisories/GHSA-8c93-4hch-xgxp"
},
{
"tags": [
"product",
"x_transferred"
],
"url": "https://github.com/cloudflare/workers-sdk"
},
{
"tags": [
"related",
"x_transferred"
],
"url": "https://developers.cloudflare.com/workers/wrangler/"
}
],
"title": "CVE Program Container"
},
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2023-3348",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-10-09T20:30:56.298602Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-10-09T20:34:14.644Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Wrangler",
"vendor": "Cloudflare",
"versions": [
{
"changes": [
{
"at": "3.1.1",
"status": "unaffected"
}
],
"lessThan": "3.1.1",
"status": "affected",
"version": "3",
"versionType": "semver"
},
{
"changes": [
{
"at": "2.20.1",
"status": "unaffected"
}
],
"lessThan": "2.20.1",
"status": "affected",
"version": "2",
"versionType": "semver"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "reporter",
"user": "00000000-0000-4000-9000-000000000000",
"value": "robocap42 (HackerOne researcher)"
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cdiv\u003e\u003cdiv\u003eThe Wrangler command line tool\u0026nbsp; (\u0026lt;=wrangler@3.1.0 or \u0026lt;=wrangler@2.20.1)\u0026nbsp;was affected by a directory traversal vulnerability when running a local development server for Pages (wrangler pages dev command). This vulnerability enabled an attacker in the same network as the victim to connect to the local development server and access the victim\u0027s files present outside of the directory for the development server.\u003c/div\u003e\u003c/div\u003e"
}
],
"value": "The Wrangler command line tool\u00a0 (\u003c=wrangler@3.1.0 or \u003c=wrangler@2.20.1)\u00a0was affected by a directory traversal vulnerability when running a local development server for Pages (wrangler pages dev command). This vulnerability enabled an attacker in the same network as the victim to connect to the local development server and access the victim\u0027s files present outside of the directory for the development server.\n\n\n\n"
}
],
"impacts": [
{
"capecId": "CAPEC-126",
"descriptions": [
{
"lang": "en",
"value": "CAPEC-126 Path Traversal"
}
]
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "ADJACENT_NETWORK",
"availabilityImpact": "NONE",
"baseScore": 5.7,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "HIGH",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:A/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-22",
"description": "CWE-22 Improper Limitation of a Pathname to a Restricted Directory (\u0027Path Traversal\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2023-08-29T09:17:49.419Z",
"orgId": "a22f1246-ba21-4bb4-a601-ad51614c1513",
"shortName": "cloudflare"
},
"references": [
{
"tags": [
"vendor-advisory"
],
"url": "https://github.com/cloudflare/workers-sdk/security/advisories/GHSA-8c93-4hch-xgxp"
},
{
"tags": [
"product"
],
"url": "https://github.com/cloudflare/workers-sdk"
},
{
"tags": [
"related"
],
"url": "https://developers.cloudflare.com/workers/wrangler/"
}
],
"solutions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "Upgrade to wrangler@3.1.1 or higher\u003cbr\u003eFor wrangler v2 upgrade to wrangler@2.20.1 or higher"
}
],
"value": "Upgrade to wrangler@3.1.1 or higher\nFor wrangler v2 upgrade to wrangler@2.20.1 or higher"
}
],
"source": {
"discovery": "EXTERNAL"
},
"title": "Directory traversal vulnerability in Cloudflare Wrangler",
"x_generator": {
"engine": "Vulnogram 0.1.0-dev"
}
}
},
"cveMetadata": {
"assignerOrgId": "a22f1246-ba21-4bb4-a601-ad51614c1513",
"assignerShortName": "cloudflare",
"cveId": "CVE-2023-3348",
"datePublished": "2023-08-03T13:47:07.296Z",
"dateReserved": "2023-06-21T07:20:37.335Z",
"dateUpdated": "2024-10-09T20:34:14.644Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1",
"vulnerability-lookup:meta": {
"vulnrichment": {
"containers": "{\"adp\": [{\"title\": \"CVE Program Container\", \"references\": [{\"url\": \"https://github.com/cloudflare/workers-sdk/security/advisories/GHSA-8c93-4hch-xgxp\", \"tags\": [\"vendor-advisory\", \"x_transferred\"]}, {\"url\": \"https://github.com/cloudflare/workers-sdk\", \"tags\": [\"product\", \"x_transferred\"]}, {\"url\": \"https://developers.cloudflare.com/workers/wrangler/\", \"tags\": [\"related\", \"x_transferred\"]}], \"providerMetadata\": {\"orgId\": \"af854a3a-2127-422b-91ae-364da2661108\", \"shortName\": \"CVE\", \"dateUpdated\": \"2024-08-02T06:55:03.253Z\"}}, {\"title\": \"CISA ADP Vulnrichment\", \"metrics\": [{\"other\": {\"type\": \"ssvc\", \"content\": {\"id\": \"CVE-2023-3348\", \"role\": \"CISA Coordinator\", \"options\": [{\"Exploitation\": \"none\"}, {\"Automatable\": \"no\"}, {\"Technical Impact\": \"partial\"}], \"version\": \"2.0.3\", \"timestamp\": \"2024-10-09T20:30:56.298602Z\"}}}], \"providerMetadata\": {\"orgId\": \"134c704f-9b21-4f2e-91b3-4a467353bcc0\", \"shortName\": \"CISA-ADP\", \"dateUpdated\": \"2024-10-09T20:34:08.809Z\"}}], \"cna\": {\"title\": \"Directory traversal vulnerability in Cloudflare Wrangler\", \"source\": {\"discovery\": \"EXTERNAL\"}, \"credits\": [{\"lang\": \"en\", \"type\": \"reporter\", \"user\": \"00000000-0000-4000-9000-000000000000\", \"value\": \"robocap42 (HackerOne researcher)\"}], \"impacts\": [{\"capecId\": \"CAPEC-126\", \"descriptions\": [{\"lang\": \"en\", \"value\": \"CAPEC-126 Path Traversal\"}]}], \"metrics\": [{\"format\": \"CVSS\", \"cvssV3_1\": {\"scope\": \"UNCHANGED\", \"version\": \"3.1\", \"baseScore\": 5.7, \"attackVector\": \"ADJACENT_NETWORK\", \"baseSeverity\": \"MEDIUM\", \"vectorString\": \"CVSS:3.1/AV:A/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N\", \"integrityImpact\": \"NONE\", \"userInteraction\": \"REQUIRED\", \"attackComplexity\": \"LOW\", \"availabilityImpact\": \"NONE\", \"privilegesRequired\": \"NONE\", \"confidentialityImpact\": \"HIGH\"}, \"scenarios\": [{\"lang\": \"en\", \"value\": \"GENERAL\"}]}], \"affected\": [{\"vendor\": \"Cloudflare\", \"product\": \"Wrangler\", \"versions\": [{\"status\": \"affected\", \"changes\": [{\"at\": \"3.1.1\", \"status\": \"unaffected\"}], \"version\": \"3\", \"lessThan\": \"3.1.1\", \"versionType\": \"semver\"}, {\"status\": \"affected\", \"changes\": [{\"at\": \"2.20.1\", \"status\": \"unaffected\"}], \"version\": \"2\", \"lessThan\": \"2.20.1\", \"versionType\": \"semver\"}], \"defaultStatus\": \"unaffected\"}], \"solutions\": [{\"lang\": \"en\", \"value\": \"Upgrade to wrangler@3.1.1 or higher\\nFor wrangler v2 upgrade to wrangler@2.20.1 or higher\", \"supportingMedia\": [{\"type\": \"text/html\", \"value\": \"Upgrade to wrangler@3.1.1 or higher\u003cbr\u003eFor wrangler v2 upgrade to wrangler@2.20.1 or higher\", \"base64\": false}]}], \"references\": [{\"url\": \"https://github.com/cloudflare/workers-sdk/security/advisories/GHSA-8c93-4hch-xgxp\", \"tags\": [\"vendor-advisory\"]}, {\"url\": \"https://github.com/cloudflare/workers-sdk\", \"tags\": [\"product\"]}, {\"url\": \"https://developers.cloudflare.com/workers/wrangler/\", \"tags\": [\"related\"]}], \"x_generator\": {\"engine\": \"Vulnogram 0.1.0-dev\"}, \"descriptions\": [{\"lang\": \"en\", \"value\": \"The Wrangler command line tool\\u00a0 (\u003c=wrangler@3.1.0 or \u003c=wrangler@2.20.1)\\u00a0was affected by a directory traversal vulnerability when running a local development server for Pages (wrangler pages dev command). This vulnerability enabled an attacker in the same network as the victim to connect to the local development server and access the victim\u0027s files present outside of the directory for the development server.\\n\\n\\n\\n\", \"supportingMedia\": [{\"type\": \"text/html\", \"value\": \"\u003cdiv\u003e\u003cdiv\u003eThe Wrangler command line tool\u0026nbsp; (\u0026lt;=wrangler@3.1.0 or \u0026lt;=wrangler@2.20.1)\u0026nbsp;was affected by a directory traversal vulnerability when running a local development server for Pages (wrangler pages dev command). This vulnerability enabled an attacker in the same network as the victim to connect to the local development server and access the victim\u0027s files present outside of the directory for the development server.\u003c/div\u003e\u003c/div\u003e\", \"base64\": false}]}], \"problemTypes\": [{\"descriptions\": [{\"lang\": \"en\", \"type\": \"CWE\", \"cweId\": \"CWE-22\", \"description\": \"CWE-22 Improper Limitation of a Pathname to a Restricted Directory (\u0027Path Traversal\u0027)\"}]}], \"providerMetadata\": {\"orgId\": \"a22f1246-ba21-4bb4-a601-ad51614c1513\", \"shortName\": \"cloudflare\", \"dateUpdated\": \"2023-08-29T09:17:49.419Z\"}}}",
"cveMetadata": "{\"cveId\": \"CVE-2023-3348\", \"state\": \"PUBLISHED\", \"dateUpdated\": \"2024-10-09T20:34:14.644Z\", \"dateReserved\": \"2023-06-21T07:20:37.335Z\", \"assignerOrgId\": \"a22f1246-ba21-4bb4-a601-ad51614c1513\", \"datePublished\": \"2023-08-03T13:47:07.296Z\", \"assignerShortName\": \"cloudflare\"}",
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
}
}
Loading…
Loading…
Sightings
| Author | Source | Type | Date |
|---|
Nomenclature
- Seen: The vulnerability was mentioned, discussed, or seen somewhere by the user.
- Confirmed: The vulnerability is confirmed from an analyst perspective.
- Published Proof of Concept: A public proof of concept is available for this vulnerability.
- Exploited: This vulnerability was exploited and seen by the user reporting the sighting.
- Patched: This vulnerability was successfully patched by the user reporting the sighting.
- Not exploited: This vulnerability was not exploited or seen by the user reporting the sighting.
- Not confirmed: The user expresses doubt about the veracity of the vulnerability.
- Not patched: This vulnerability was not successfully patched by the user reporting the sighting.
Loading…
Loading…