9 matches found
PT-2026-3556
A security issue was discovered within the legacy ADI server component of Verve Asset Manager, caused by plaintext secrets stored in environment variables on the ADI server. This component has been retired and has been optional since the 1.36 release in 2024...
Directory Traversal
@vendure/asset-server-plugin is vulnerable to Directory Traversal. The vulnerability is due to improper validation in Vendure's asset server plugin, which allows an attacker to craft requests that traverse the server file system, retrieving arbitrary files including sensitive data and crashing th...
@artcoded/gcp-asset-server-plugin (>=1.0.1 <=1.0.4), @grupo-loja/vendure-banner-plugin (=1.0.0) +54 more potentially affected by CVE-2024-48914 via @vendure/asset-server-plugin (>=0.12.5 <=2.2.7)
@vendure/asset-server-plugin NPM version =0.12.5, =1.0.1, =1.0.0, =2.0.0, =2.0.0, =2.0.0, =2.0.0, =2.0.0, =2.0.0, =2.1.0, =2.0.0, =2.0.1, =2.0.0, =2.0.0, =2.0.0, =2.2.4 and more Source cves: CVE-2024-48914 Source advisory: OSV:GHSA-R9MQ-3C9R-FMJQ...
GHSA-R9MQ-3C9R-FMJQ Vendure asset server plugin has local file read vulnerability with AssetServerPlugin & LocalAssetStorageStrategy
Description Path traversal This vulnerability allows an attacker to craft a request which is able to traverse the server file system and retrieve the contents of arbitrary files, including sensitive data such as configuration files, environment variables, and other critical data stored on the...
Vendure asset server plugin has local file read vulnerability with AssetServerPlugin & LocalAssetStorageStrategy
Description Path traversal This vulnerability allows an attacker to craft a request which is able to traverse the server file system and retrieve the contents of arbitrary files, including sensitive data such as configuration files, environment variables, and other critical data stored on the...
CVE-2024-48914
Vendure is an open-source headless commerce platform. Prior to versions 3.0.5 and 2.3.3, a vulnerability in Vendure's asset server plugin allows an attacker to craft a request which is able to traverse the server file system and retrieve the contents of arbitrary files, including sensitive data...
CVE-2024-48914 Vendure asset server plugin has local file read vulnerability with AssetServerPlugin & LocalAssetStorageStrategy
Vendure is an open-source headless commerce platform. Prior to versions 3.0.5 and 2.3.3, a vulnerability in Vendure's asset server plugin allows an attacker to craft a request which is able to traverse the server file system and retrieve the contents of arbitrary files, including sensitive data...
CVE-2024-48914 Vendure asset server plugin has local file read vulnerability with AssetServerPlugin & LocalAssetStorageStrategy
Vendure is an open-source headless commerce platform. Prior to versions 3.0.5 and 2.3.3, a vulnerability in Vendure's asset server plugin allows an attacker to craft a request which is able to traverse the server file system and retrieve the contents of arbitrary files, including sensitive data...
CVE-2024-48914
Summary (CVE-2024-48914): Vendure’s asset server plugin allows an attacker to traverse the server filesystem and read arbitrary files, including configs and environment data, due to using the decoded request path directly in path.join (no normalization). A second vector in the same code path can ...