GitHub_MVULNRICHMENT:CVE-2024-31207CVE-2024-31207 Vite's `server.fs.deny` did not deny requests for patterns with directories
CVSS3
Attack Vector
NETWORK
Attack Complexity
HIGH
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
NONE
Availability Impact
NONE
CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N
AI Score
Confidence
Low
SSVC
Exploitation
none
Automatable
no
Technical Impact
partial
Vite (French word for “quick”, pronounced /vit/, like “veet”) is a frontend build tooling to improve the frontend development experience.server.fs.deny does not deny requests for patterns with directories. This vulnerability has been patched in version(s) 5.2.6, 5.1.7, 5.0.13, 4.5.3, 3.2.10 and 2.9.18.
References
github.com/vitejs/vite/commit/011bbca350e447d1b499d242804ce62738c12bc0
github.com/vitejs/vite/commit/5a056dd2fc80dbafed033062fe6aaf4717309f48
github.com/vitejs/vite/commit/89c7c645f09d16a38f146ef4a1528f218e844d67
github.com/vitejs/vite/commit/96a7f3a41ef2f9351c46f3ab12489bb4efa03cc9
github.com/vitejs/vite/commit/ba5269cca81de3f5fbb0f49d58a1c55688043258
github.com/vitejs/vite/commit/d2db33f7d4b96750b35370c70dd2c35ec3b9b649
github.com/vitejs/vite/security/advisories/GHSA-8jhw-289h-jh2g
Related
CVSS3
Attack Vector
NETWORK
Attack Complexity
HIGH
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
NONE
Availability Impact
NONE
CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N
AI Score
Confidence
Low
SSVC
Exploitation
none
Automatable
no
Technical Impact
partial