Headline
CVE-2023-47440: Update HLS chunk regex by Pierre-Gilles · Pull Request #1918 · GladysAssistant/Gladys
Gladys Assistant v4.27.0 and prior is vulnerable to Directory Traversal. The patch of CVE-2023-43256 was found to be incomplete, allowing authenticated attackers to extract sensitive files in the host machine.
Expand Up
@@ -178,6 +178,21 @@ describe('camera controller test’, () => {
);
await chaiAssert.isRejected(promise, ‘Invalid filename’);
});
it('should return 400, bad request, invalid filename’, async () => {
const rtspCameraController = RtspCameraController(gladys, rtspCameraService);
const req = {
params: {
folder: 'camera-1’,
file: '`index1.tslala’,
},
};
const resWriteStream = {};
const promise = rtspCameraController[‘get /api/v1/service/rtsp-camera/camera/streaming/:folder/:file’].controller(
req,
resWriteStream,
);
await chaiAssert.isRejected(promise, ‘Invalid filename’);
});
it('should return 400, bad request, invalid session id’, async () => {
const rtspCameraController = RtspCameraController(gladys, rtspCameraService);
const req = {
Expand Down
Related news
Gladys Assistant v4.27.0 and prior is vulnerable to Directory Traversal. The patch of CVE-2023-43256 was found to be incomplete, allowing authenticated attackers to extract sensitive files in the host machine.