CVE-2024-23331 - High Severity Vulnerability
Vulnerable Library - vite-2.7.9.tgz
Native-ESM powered web dev build tool
Library home page: https://registry.npmjs.org/vite/-/vite-2.7.9.tgz
Path to dependency file: /package.json
Path to vulnerable library: /node_modules/vite/package.json
Dependency Hierarchy:
- vuepress-2.0.0-beta.31.tgz (Root Library)
- vuepress-vite-2.0.0-beta.31.tgz
- bundler-vite-2.0.0-beta.31.tgz
- ❌ vite-2.7.9.tgz (Vulnerable Library)
Found in HEAD commit: cc4e8cd1c879b3e0e71530e7e3255a4cc7824460
Found in base branch: main
Vulnerability Details
Vite is a frontend tooling framework for javascript. The Vite dev server option server.fs.deny can be bypassed on case-insensitive file systems using case-augmented versions of filenames. Notably this affects servers hosted on Windows. This bypass is similar to CVE-2023-34092 -- with surface area reduced to hosts having case-insensitive filesystems. Since picomatch defaults to case-sensitive glob matching, but the file server doesn't discriminate; a blacklist bypass is possible. By requesting raw filesystem paths using augmented casing, the matcher derived from config.server.fs.deny fails to block access to sensitive files. This issue has been addressed in vite@5.0.12, vite@4.5.2, vite@3.2.8, and vite@2.9.17. Users are advised to upgrade. Users unable to upgrade should restrict access to dev servers.
Publish Date: 2024-01-19
URL: CVE-2024-23331
CVSS 3 Score Details (7.5)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: High
- Integrity Impact: None
- Availability Impact: None
For more information on CVSS3 Scores, click here.
Suggested Fix
Type: Upgrade version
Origin: GHSA-c24v-8rfc-w8vw
Release Date: 2024-01-19
Fix Resolution: vite - 2.9.17,3.2.8,4.5.2,5.0.12
Step up your Open Source Security Game with Mend here
CVE-2024-23331 - High Severity Vulnerability
Native-ESM powered web dev build tool
Library home page: https://registry.npmjs.org/vite/-/vite-2.7.9.tgz
Path to dependency file: /package.json
Path to vulnerable library: /node_modules/vite/package.json
Dependency Hierarchy:
Found in HEAD commit: cc4e8cd1c879b3e0e71530e7e3255a4cc7824460
Found in base branch: main
Vite is a frontend tooling framework for javascript. The Vite dev server option
server.fs.denycan be bypassed on case-insensitive file systems using case-augmented versions of filenames. Notably this affects servers hosted on Windows. This bypass is similar to CVE-2023-34092 -- with surface area reduced to hosts having case-insensitive filesystems. Sincepicomatchdefaults to case-sensitive glob matching, but the file server doesn't discriminate; a blacklist bypass is possible. By requesting raw filesystem paths using augmented casing, the matcher derived fromconfig.server.fs.denyfails to block access to sensitive files. This issue has been addressed in vite@5.0.12, vite@4.5.2, vite@3.2.8, and vite@2.9.17. Users are advised to upgrade. Users unable to upgrade should restrict access to dev servers.Publish Date: 2024-01-19
URL: CVE-2024-23331
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: High
- Integrity Impact: None
- Availability Impact: None
For more information on CVSS3 Scores, click here.Type: Upgrade version
Origin: GHSA-c24v-8rfc-w8vw
Release Date: 2024-01-19
Fix Resolution: vite - 2.9.17,3.2.8,4.5.2,5.0.12
Step up your Open Source Security Game with Mend here