CVE-2024-23331 Vite dev server option `server.fs.deny` can be bypassed when hosted on case-insensitive filesystem

2024-01-1919:43:17

CWE-178

CWE-200

CWE-284

GitHub_M

www.cve.org

vite

frontend

javascript

security

filesystem

bypass

windows

picomatch

blacklist

sensitivity

upgrade

restrict

CVSS3

7.5

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

NONE

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

EPSS

0.001

Percentile

50.6%

JSON

Vite is a frontend tooling framework for javascript. The Vite dev server option server.fs.deny can be bypassed on case-insensitive file systems using case-augmented versions of filenames. Notably this affects servers hosted on Windows. This bypass is similar to CVE-2023-34092 – with surface area reduced to hosts having case-insensitive filesystems. Since picomatch defaults to case-sensitive glob matching, but the file server doesn’t discriminate; a blacklist bypass is possible. By requesting raw filesystem paths using augmented casing, the matcher derived from config.server.fs.deny fails to block access to sensitive files. This issue has been addressed in [email protected], [email protected], [email protected], and [email protected]. Users are advised to upgrade. Users unable to upgrade should restrict access to dev servers.

CNA Affected

[
  {
    "vendor": "vitejs",
    "product": "vite",
    "versions": [
      {
        "version": ">=2.7.0, < 2.9.17",
        "status": "affected"
      },
      {
        "version": ">=3.0.0, <3.2.8",
        "status": "affected"
      },
      {
        "version": ">=4.0.0, < 4.5.2",
        "status": "affected"
      },
      {
        "version": ">=5.0.0, < 5.0.12",
        "status": "affected"
      }
    ]
  }
]