CVE-2024-23331 — Vulnetix

Try Vulnetix Request Demo

CVE-2024-23331 PUBLISHED CVSS 7.5 HIGH

Vite is a frontend tooling framework for javascript. The Vite dev server option `server.fs.deny` can be bypassed on case-insensitive file systems using case-augmented versions of filenames. Notably this affects servers hosted on Windows. This bypass is similar to CVE-2023-34092 -- with surface area reduced to hosts having case-insensitive filesystems. Since `picomatch` defaults to case-sensitive glob matching, but the file server doesn't discriminate; a blacklist bypass is possible. By requesting raw filesystem paths using augmented casing, the matcher derived from `config.server.fs.deny` fails to block access to sensitive files. This issue has been addressed in vite@5.0.12, vite@4.5.2, vite@3.2.8, and vite@2.9.17. Users are advised to upgrade. Users unable to upgrade should restrict access to dev servers.

EPSS 0.48% · 64.9th percentile

Risk Scores

CVSS v3.1

7.5

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

EPSS Score

0.48%

64.9th percentile

Affected Products

Vendor	Product	Versions
npm	vite	2.7.0, 3.0.0, 4.0.0
vitejs	vite	2.7.0, 3.0.0, >=2.7.0, < 2.9.17

Timeline

Jan 21, 1970 Security Advisory
Jan 19, 2024 CVE Published
Jan 24, 2024 EPSS Score
Feb 20, 2024 EPSS Score
Mar 18, 2024 EPSS Score
Apr 15, 2024 EPSS Score
May 12, 2024 EPSS Score
Jun 8, 2024 EPSS Score
Jul 5, 2024 EPSS Score
Aug 2, 2024 EPSS Score
Sep 25, 2024 EPSS Score
Oct 4, 2024 Coalition ESS Score

References

Open in Interactive Console →