Skip to content

CVE-2024-23331 (High) detected in vite-2.7.9.tgz #35

New issue
New issue
Open
Open
CVE-2024-23331 (High) detected in vite-2.7.9.tgz#35
Labels
Mend: dependency security vulnerabilitySecurity vulnerability detected by WhiteSource
@mend-bolt-for-github

Description

@mend-bolt-for-github
mend-bolt-for-github
bot
opened on Apr 11, 2024

CVE-2024-23331 - High Severity Vulnerability

Vulnerable Library - vite-2.7.9.tgz

Native-ESM powered web dev build tool

Library home page: https://registry.npmjs.org/vite/-/vite-2.7.9.tgz

Path to dependency file: /package.json

Path to vulnerable library: /node_modules/vite/package.json

Dependency Hierarchy:

  • vuepress-2.0.0-beta.31.tgz (Root Library)
    • vuepress-vite-2.0.0-beta.31.tgz
      • bundler-vite-2.0.0-beta.31.tgz
        • vite-2.7.9.tgz (Vulnerable Library)

Found in HEAD commit: cc4e8cd1c879b3e0e71530e7e3255a4cc7824460

Found in base branch: main

Vulnerability Details

Vite is a frontend tooling framework for javascript. The Vite dev server option server.fs.deny can be bypassed on case-insensitive file systems using case-augmented versions of filenames. Notably this affects servers hosted on Windows. This bypass is similar to CVE-2023-34092 -- with surface area reduced to hosts having case-insensitive filesystems. Since picomatch defaults to case-sensitive glob matching, but the file server doesn't discriminate; a blacklist bypass is possible. By requesting raw filesystem paths using augmented casing, the matcher derived from config.server.fs.deny fails to block access to sensitive files. This issue has been addressed in [email protected], [email protected], [email protected], and [email protected]. Users are advised to upgrade. Users unable to upgrade should restrict access to dev servers.

Publish Date: 2024-01-19

URL: CVE-2024-23331

CVSS 3 Score Details (7.5)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: Low
    • Privileges Required: None
    • User Interaction: None
    • Scope: Unchanged
  • Impact Metrics:
    • Confidentiality Impact: High
    • Integrity Impact: None
    • Availability Impact: None

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: GHSA-c24v-8rfc-w8vw

Release Date: 2024-01-19

Fix Resolution: vite - 2.9.17,3.2.8,4.5.2,5.0.12

Step up your Open Source Security Game with Mend here

Metadata

Metadata

Assignees

No one assigned

    Labels

    Mend: dependency security vulnerabilitySecurity vulnerability detected by WhiteSource

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions