Open richardgirges opened 2 years ago
Would you like to share some details so we could also help on it ?
@duterte can you email me at richardgirges - a t - gmail dot com? I will send you the report
@richardgirges While you are reviewing these, I think it might be helpful to reach out to NIST/Mitre and request that these CVEs be marked as disputed. At the moment, all security scanning tools flag this issue as super-mega-critical, which is unfortunate. To mark it as disputed, you just have to message them here: https://cveform.mitre.org/
@richardgirges - CVE-2022-27140 is now marked as disputed in NIST's database
DISPUTED ... NOTE: the vendor's position is that the observed behavior can only occur with "intentional misusing of the API": the express-fileupload middleware is not responsible for an application's business logic (e.g., determining whether or how a file should be renamed).
Hi, someone know developers works on this issue?
There have been some unconfirmed security reports raised by @harunoz. This ticket will track the decisions and fixes (if any) to address all open security reports.
There are five primary areas that are covered in Harun's reports:
.mv
method are placed in a secure location where they cannot cause harm regardless of the filename or extension.