CVE-2017-16224
Last modified
CVE-2017-16224 is a vulnerability of currently unknown severity. st is a module for serving static files. An attacker is able to craft a request that results in an HTTP 301 (redirect) to an entirely different domain. EPSS estimates a 0.88% chance of exploitation in the next 30 days.
Description
st is a module for serving static files. An attacker is able to craft a request that results in an HTTP 301 (redirect) to an entirely different domain. A request for: http://some.server.com//nodesecurity.org/%2e%2e would result in a 301 to //nodesecurity.org/%2e%2e which most browsers treat as a proper redirect as // is translated into the current schema being used. Mitigating factor: In order for this to work, st must be serving from the root of a server (/) rather than the typical sub directory (/static/) and the redirect URL will end with some form of URL encoded .. ("%2e%2e", "%2e.", ".%2e").
Metrics
Weakness Enumeration
Affected Software
| Vendor | Product | Versions |
|---|---|---|
| St Project | St | <= 1.2.1 |
References
- https://nodesecurity.io/advisories/547Exploit, Third Party Advisory
- https://nodesecurity.io/advisories/547Exploit, Third Party Advisory
Timeline
- Published
- Last Modified
- Status
- Modified
Frequently Asked Questions
What is CVE-2017-16224?
How severe is CVE-2017-16224?
How do I fix CVE-2017-16224?
Are you affected by CVE-2017-16224?
Run a free Strix scan to check your systems for this vulnerability.
Scan your code nowSource: NVD / NIST