CVE-2023-34238

2023-06-0800:15:09

CWE-22

[email protected]

web.nvd.nist.gov

gatsby

react

local file inclusion

vulnerability

security

patch

upgrade

nvd

5.3 Medium

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

LOW

Integrity Impact

NONE

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N

0.001 Low

EPSS

Percentile

38.5%

JSON

Gatsby is a free and open source framework based on React. The Gatsby framework prior to versions 4.25.7 and 5.9.1 contain a Local File Inclusion vulnerability in the __file-code-frame and __original-stack-frame paths, exposed when running the Gatsby develop server (gatsby develop). Any file in scope of the development server could potentially be exposed. It should be noted that by default gatsby develop is only accessible via the localhost 127.0.0.1, and one would need to intentionally expose the server to other interfaces to exploit this vulnerability by using server options such as --host 0.0.0.0, -H 0.0.0.0, or the GATSBY_HOST=0.0.0.0 environment variable. A patch has been introduced in [email protected] and [email protected] which mitigates the issue. Users are advised to upgrade. Users unable to upgrade should avoid exposing their development server to the internet.

Affected configurations

Vulners

NVD

Node

gatsbyjsgatsbyRange5.0.0–5.9.1

gatsbyjsgatsbyRange<4.25.7

VendorProductVersionCPE
gatsbyjsgatsby*cpe:2.3:a:gatsbyjs:gatsby:*:*:*:*:*:*:*:*
gatsbyjsgatsby*cpe:2.3:a:gatsbyjs:gatsby:*:*:*:*:*:*:*:*

Vendor	Product	Version	CPE
gatsbyjs	gatsby	*	cpe:2.3:a:gatsbyjs:gatsby::::::::
gatsbyjs	gatsby	*	cpe:2.3:a:gatsbyjs:gatsby::::::::

CNA Affected

[
  {
    "vendor": "gatsbyjs",
    "product": "gatsby",
    "versions": [
      {
        "version": ">= 5.0.0, < 5.9.1",
        "status": "affected"
      },
      {
        "version": "< 4.25.7",
        "status": "affected"
      }
    ]
  }
]