CVE-2018-11798

Name of the Vulnerable Software and Affected Versions Apache Thrift Node.js versions 0.9.2 through 0.11.0

Description The issue allows a remote user to access files outside the set web server's docroot path due to a security vulnerability in the Apache Thrift Node.js static web server. This vulnerability is related to the lack of protection for service data and can be exploited by a remote attacker to gain unauthorized access to protected information. The vulnerability exists because of incorrect restriction of the path name to a directory with limited access, allowing an attacker to access arbitrary files.

Recommendations For versions 0.9.2 through 0.11.0, consider restricting access to sensitive files and directories until a patch is available. As a temporary workaround, limit the web server's access to only necessary files and directories to minimize the risk of exploitation.