CVE-2024-23331
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
Summary
Vite is a frontend tooling framework for javascript. The Vite dev server option server.fs.deny can be bypassed on case-insensitive file systems using case-augmented versions of filenames. Notably this affects servers hosted on Windows. This bypass is similar to CVE-2023-34092 – with surface area reduced to hosts having case-insensitive filesystems. Since picomatch defaults to case-sensitive glob matching, but the file server doesn't discriminate; a blacklist bypass is possible. By requesting raw filesystem paths using augmented casing, the matcher derived from config.server.fs.deny fails to block access to sensitive files. This issue has been addressed in vite@5.0.12, vite@4.5.2, vite@3.2.8, and vite@2.9.17. Users are advised to upgrade. Users unable to upgrade should restrict access to dev servers.
Affected Software
| Vendor | Product | Version Range | Status |
|---|---|---|---|
| vitejs | vite | >=2.7.0, < 2.9.17 | affected |
| vitejs | vite | >=3.0.0, <3.2.8 | affected |
| vitejs | vite | >=4.0.0, < 4.5.2 | affected |
| vitejs | vite | >=5.0.0, < 5.0.12 | affected |
Weaknesses
- CWE-178: CWE-178: Improper Handling of Case Sensitivity
- CWE-200: CWE-200: Exposure of Sensitive Information to an Unauthorized Actor
- CWE-284: CWE-284: Improper Access Control
ADP Enrichment
CVE Program Container
Additional References
- https://github.com/vitejs/vite/security/advisories/GHSA-c24v-8rfc-w8vw
- https://github.com/vitejs/vite/commit/91641c4da0a011d4c5352e88fc68389d4e1289a5
- https://vitejs.dev/config/server-options.html#server-fs-deny
CISA ADP Vulnrichment
- SSVC:
- Exploitation: poc
- Automatable: no
- Technical Impact: partial
References
- https://github.com/vitejs/vite/security/advisories/GHSA-c24v-8rfc-w8vw
- https://github.com/vitejs/vite/commit/91641c4da0a011d4c5352e88fc68389d4e1289a5
- https://vitejs.dev/config/server-options.html#server-fs-deny
Feedback
Was this page helpful?
Glad to hear it! Please tell us how we can improve.
Sorry to hear that. Please tell us how we can improve.