Denial of Service (DoS)

Affecting ghost package, versions <0.5.9

medium severity

Overview

ghost is a blogging platform. Affected versions of the package are vulnerable to Denial of Service (DoS) attack, via filesystem exhaustion. When updating a user avatar, the pervious one is saved and not deleted. Also, the file size of the avatar is not limited.

Remediation

Upgrade ghost to version 0.5.9 or higher.

References

Do your applications use this vulnerable package?

Credit
paolo Stagno
CVE
CVE-2015-1407
CWE
CWE-400
Snyk ID
npm:ghost:20150303-5
Disclosed
02 Mar, 2015
Published
30 May, 2017