glance@0.2.7 vulnerabilities

disposable fileserver

Direct Vulnerabilities

Known vulnerabilities in the glance package. This does not include vulnerabilities belonging to this package’s dependencies.

Automatically find and fix vulnerabilities affecting your projects. Snyk scans for vulnerabilities and provides fixes for free.
Fix for free
Vulnerability Vulnerable Version
  • M
Directory Traversal

glance is a quick disposable http server for static files.

Affected versions of this package are vulnerable to Directory Traversal that allows users to read files outside the public root directory. This is related to but distinct from the vulnerability reported in CVE-2018-3715.

How to fix Directory Traversal?

Upgrade glance to version 3.0.9 or higher.

<3.0.9
  • H
Information Exposure

glance is a quick disposable http server for static files.

Affected versions of this package are vulnerable to Information Exposure. The config option nodot could be used to prevent serving sensitive folders such as .git or .DS_Store. This rule could be bypassed using the technique below which could lead to sensitive information disclosure.

How to fix Information Exposure?

Upgrade glance to version 3.0.7 or higher.

<3.0.7
  • L
Cross-site Scripting (XSS)

glance is a quick disposable http server for static files.

Affected versions of this package are vulnerable to Cross-site Scripting (XSS) attcaks. A File name, containing malicious HTML (eg. embedded iframe element or javascript: pseudo protocol handler in <a> element) allows to execute JavaScript code against any user who opens directory listing contains such crafted file name.

How to fix Cross-site Scripting (XSS)?

There is no fix version for glance.

*
  • L
Cross-site Scripting (XSS)

glance is a quick disposable http server for static files.

Affected versions of this package are vulnerable to Cross-site Scripting (XSS) attcaks. A File name, containing malicious HTML (eg. embedded iframe element or javascript: pseudo protocol handler in <a> element) allows to execute JavaScript code against any user who opens directory listing contains such crafted file name.

How to fix Cross-site Scripting (XSS)?

There is no fix version for glance.

*
  • H
Directory Traversal

glance is a quick disposable http server for static files.

Affected versions of this package are vulnerable to Directory Traversal. It allows to read arbitrary files from the server.

How to fix Directory Traversal?

Upgrade glance to version 3.0.4 or higher.

<3.0.4
  • H
Directory Traversal

glance is a quick disposable http server for static files.

Affected versions of this package are vulnerable to Directory Traversal. It allows to read arbitrary files from the server.

How to fix Directory Traversal?

Upgrade glance to version 3.0.4 or higher.

<3.0.4