Executive Summary



This Alert is flagged as TOP 25 Common Weakness Enumeration from CWE/SANS. For more information, you can read this.
Informations
Name CVE-2024-23331 First vendor Publication 2024-01-19
Vendor Cve Last vendor Modification 2024-01-29

Security-Database Scoring CVSS v3

Cvss vector : CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
Overall CVSS Score 7.5
Base Score 7.5 Environmental Score 7.5
impact SubScore 3.6 Temporal Score 7.5
Exploitabality Sub Score 3.9
 
Attack Vector Network Attack Complexity Low
Privileges Required None User Interaction None
Scope Unchanged Confidentiality Impact High
Integrity Impact None Availability Impact None
Calculate full CVSS 3.0 Vectors scores

Security-Database Scoring CVSS v2

Cvss vector :
Cvss Base Score N/A Attack Range N/A
Cvss Impact Score N/A Attack Complexity N/A
Cvss Expoit Score N/A Authentication N/A
Calculate full CVSS 2.0 Vectors scores

Detail

Vite is a frontend tooling framework for javascript. The Vite dev server option `server.fs.deny` can be bypassed on case-insensitive file systems using case-augmented versions of filenames. Notably this affects servers hosted on Windows. This bypass is similar to CVE-2023-34092 -- with surface area reduced to hosts having case-insensitive filesystems. Since `picomatch` defaults to case-sensitive glob matching, but the file server doesn't discriminate; a blacklist bypass is possible. By requesting raw filesystem paths using augmented casing, the matcher derived from `config.server.fs.deny` fails to block access to sensitive files. This issue has been addressed in vite@5.0.12, vite@4.5.2, vite@3.2.8, and vite@2.9.17. Users are advised to upgrade. Users unable to upgrade should restrict access to dev servers.

Original Source

Url : http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-23331

CWE : Common Weakness Enumeration

% Id Name
33 % CWE-284 Access Control (Authorization) Issues
33 % CWE-200 Information Exposure
33 % CWE-178 Failure to Resolve Case Sensitivity (CWE/SANS Top 25)

CPE : Common Platform Enumeration

TypeDescriptionCount
Application 24

Sources (Detail)

https://github.com/vitejs/vite/commit/91641c4da0a011d4c5352e88fc68389d4e1289a5
https://github.com/vitejs/vite/security/advisories/GHSA-c24v-8rfc-w8vw
https://vitejs.dev/config/server-options.html#server-fs-deny
Source Url

Alert History

If you want to see full details history, please login or register.
0
1
Date Informations
2024-01-29 21:27:35
  • Multiple Updates
2024-01-20 00:27:24
  • First insertion