CVE-2024-45811

Vite a frontend build tooling framework for javascript. In affected versions the contents of arbitrary files can be returned to the browser. `@fs` denies access to files outside of Vite serving allow list. Adding `?import&raw` to the URL bypasses this limitation and returns the file content if it exists. This issue has been patched in versions 5.4.6, 5.3.6, 5.2.14, 4.5.5, and 3.2.11. Users are advised to upgrade. There are no known workarounds for this vulnerability.

CVSS v3 4.8 MEDIUM

4.8^/10

CVSS v3 : MEDIUM

V3 Legend

Vector :

Exploitability : 1.2 / Impact : 3.6

Attack Vector ADJACENT_NETWORK

Attack Complexity HIGH

Privileges Required NONE

User Interaction REQUIRED

Confidentiality Impact HIGH

Integrity Impact NONE

Availability Impact NONE

Scope UNCHANGED

References

Link	Resource
https://github.com/vitejs/vite/commit/6820bb3b9a54334f3268fc5ee1e967d2e1c0db34
https://github.com/vitejs/vite/security/advisories/GHSA-9cwx-2883-4wfx

Configurations

No configuration.

History

20 Sep 2024, 12:30

Type	Values Removed	Values Added
Summary		(es) Vite es un framework de herramientas de compilación de interfaz para JavaScript. En las versiones afectadas, el contenido de archivos arbitrarios se puede devolver al navegador. `@fs` niega el acceso a archivos fuera de la lista de permitidos de Vite. Agregar `?import&raw` a la URL evita esta limitación y devuelve el contenido del archivo si existe. Este problema se ha corregido en las versiones 5.4.6, 5.3.6, 5.2.14, 4.5.5 y 3.2.11. Se recomienda a los usuarios que actualicen. No existen workarounds para esta vulnerabilidad.

17 Sep 2024, 20:15

Type	Values Removed	Values Added
New CVE

Information

Published : 2024-09-17 20:15

Updated : 2024-09-20 12:30

NVD link : CVE-2024-45811

Mitre link : CVE-2024-45811

CVE.ORG link : CVE-2024-45811

JSON object : View

Products Affected

No product.

CWE

CWE-200

Exposure of Sensitive Information to an Unauthorized Actor

CWE-284

Improper Access Control

4.8 /10