CVE-2024-31207 - OpenCVE

Vite (French word for "quick", pronounced /vit/, like "veet") is a frontend build tooling to improve the frontend development experience.`server.fs.deny` does not deny requests for patterns with directories. This vulnerability has been patched in version(s) 5.2.6, 5.1.7, 5.0.13, 4.5.3, 3.2.10 and 2.9.18.

No CVSS v4.0

Attack Vector Network

Attack Complexity High

Privileges Required None

Scope Unchanged

Confidentiality Impact High

Integrity Impact None

Availability Impact None

User Interaction None

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

Exploitation none

Automatable no

Technical Impact partial

No data.

No data.

No data.

References

Link	Providers
https://github.com/vitejs/vite/commit/011bbca350e447d1b499d242804ce62738c12bc0
https://github.com/vitejs/vite/commit/5a056dd2fc80dbafed033062fe6aaf4717309f48
https://github.com/vitejs/vite/commit/89c7c645f09d16a38f146ef4a1528f218e844d67
https://github.com/vitejs/vite/commit/96a7f3a41ef2f9351c46f3ab12489bb4efa03cc9
https://github.com/vitejs/vite/commit/ba5269cca81de3f5fbb0f49d58a1c55688043258
https://github.com/vitejs/vite/commit/d2db33f7d4b96750b35370c70dd2c35ec3b9b649
https://github.com/vitejs/vite/security/advisories/GHSA-8jhw-289h-jh2g
https://nvd.nist.gov/vuln/detail/CVE-2024-31207
https://www.cve.org/CVERecord?id=CVE-2024-31207

History

No history.

MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published: 2024-04-04T15:51:54.683Z

Updated: 2024-08-02T01:46:04.483Z

Reserved: 2024-03-29T14:16:31.900Z

Link: CVE-2024-31207

Vulnrichment

Updated: 2024-05-23T19:01:22.140Z

NVD

Status : Awaiting Analysis

Published: 2024-04-04T16:15:09.333

Modified: 2024-04-04T16:33:06.610

Link: CVE-2024-31207

Redhat

Severity : Moderate

Publid Date: 2024-04-04T00:00:00Z

Links: CVE-2024-31207 - Bugzilla

{"dataType": "CVE_RECORD", "dataVersion": "5.1", "cveMetadata": {"cveId": "CVE-2024-31207", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "state": "PUBLISHED", "assignerShortName": "GitHub_M", "dateReserved": "2024-03-29T14:16:31.900Z", "datePublished": "2024-04-04T15:51:54.683Z", "dateUpdated": "2024-08-02T01:46:04.483Z"}, "containers": {"cna": {"title": "Vite's `server.fs.deny` did not deny requests for patterns with directories", "problemTypes": [{"descriptions": [{"cweId": "CWE-200", "lang": "en", "description": "CWE-200: Exposure of Sensitive Information to an Unauthorized Actor", "type": "CWE"}]}, {"descriptions": [{"cweId": "CWE-284", "lang": "en", "description": "CWE-284: Improper Access Control", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 5.9, "baseSeverity": "MEDIUM", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N", "version": "3.1"}}], "references": [{"name": "https://github.com/vitejs/vite/security/advisories/GHSA-8jhw-289h-jh2g", "tags": ["x_refsource_CONFIRM"], "url": "https://github.com/vitejs/vite/security/advisories/GHSA-8jhw-289h-jh2g"}, {"name": "https://github.com/vitejs/vite/commit/011bbca350e447d1b499d242804ce62738c12bc0", "tags": ["x_refsource_MISC"], "url": "https://github.com/vitejs/vite/commit/011bbca350e447d1b499d242804ce62738c12bc0"}, {"name": "https://github.com/vitejs/vite/commit/5a056dd2fc80dbafed033062fe6aaf4717309f48", "tags": ["x_refsource_MISC"], "url": "https://github.com/vitejs/vite/commit/5a056dd2fc80dbafed033062fe6aaf4717309f48"}, {"name": "https://github.com/vitejs/vite/commit/89c7c645f09d16a38f146ef4a1528f218e844d67", "tags": ["x_refsource_MISC"], "url": "https://github.com/vitejs/vite/commit/89c7c645f09d16a38f146ef4a1528f218e844d67"}, {"name": "https://github.com/vitejs/vite/commit/96a7f3a41ef2f9351c46f3ab12489bb4efa03cc9", "tags": ["x_refsource_MISC"], "url": "https://github.com/vitejs/vite/commit/96a7f3a41ef2f9351c46f3ab12489bb4efa03cc9"}, {"name": "https://github.com/vitejs/vite/commit/ba5269cca81de3f5fbb0f49d58a1c55688043258", "tags": ["x_refsource_MISC"], "url": "https://github.com/vitejs/vite/commit/ba5269cca81de3f5fbb0f49d58a1c55688043258"}, {"name": "https://github.com/vitejs/vite/commit/d2db33f7d4b96750b35370c70dd2c35ec3b9b649", "tags": ["x_refsource_MISC"], "url": "https://github.com/vitejs/vite/commit/d2db33f7d4b96750b35370c70dd2c35ec3b9b649"}], "affected": [{"vendor": "vitejs", "product": "vite", "versions": [{"version": ">= 2.7.0, <= 2.9.17", "status": "affected"}, {"version": ">= 3.0.0, <= 3.2.8", "status": "affected"}, {"version": ">= 4.0.0, <= 4.5.2", "status": "affected"}, {"version": ">= 5.0.0, <= 5.0.12", "status": "affected"}, {"version": ">= 5.1.0, <= 5.1.6", "status": "affected"}, {"version": ">= 5.2.0, <= 5.2.5", "status": "affected"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2024-04-04T15:51:54.683Z"}, "descriptions": [{"lang": "en", "value": "Vite (French word for \"quick\", pronounced /vit/, like \"veet\") is a frontend build tooling to improve the frontend development experience.`server.fs.deny` does not deny requests for patterns with directories. This vulnerability has been patched in version(s) 5.2.6, 5.1.7, 5.0.13, 4.5.3, 3.2.10 and 2.9.18."}], "source": {"advisory": "GHSA-8jhw-289h-jh2g", "discovery": "UNKNOWN"}}, "adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2024-31207", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2024-04-04T17:23:36.781933Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2024-06-04T17:36:11.128Z"}}, {"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-02T01:46:04.483Z"}, "title": "CVE Program Container", "references": [{"name": "https://github.com/vitejs/vite/security/advisories/GHSA-8jhw-289h-jh2g", "tags": ["x_refsource_CONFIRM", "x_transferred"], "url": "https://github.com/vitejs/vite/security/advisories/GHSA-8jhw-289h-jh2g"}, {"name": "https://github.com/vitejs/vite/commit/011bbca350e447d1b499d242804ce62738c12bc0", "tags": ["x_refsource_MISC", "x_transferred"], "url": "https://github.com/vitejs/vite/commit/011bbca350e447d1b499d242804ce62738c12bc0"}, {"name": "https://github.com/vitejs/vite/commit/5a056dd2fc80dbafed033062fe6aaf4717309f48", "tags": ["x_refsource_MISC", "x_transferred"], "url": "https://github.com/vitejs/vite/commit/5a056dd2fc80dbafed033062fe6aaf4717309f48"}, {"name": "https://github.com/vitejs/vite/commit/89c7c645f09d16a38f146ef4a1528f218e844d67", "tags": ["x_refsource_MISC", "x_transferred"], "url": "https://github.com/vitejs/vite/commit/89c7c645f09d16a38f146ef4a1528f218e844d67"}, {"name": "https://github.com/vitejs/vite/commit/96a7f3a41ef2f9351c46f3ab12489bb4efa03cc9", "tags": ["x_refsource_MISC", "x_transferred"], "url": "https://github.com/vitejs/vite/commit/96a7f3a41ef2f9351c46f3ab12489bb4efa03cc9"}, {"name": "https://github.com/vitejs/vite/commit/ba5269cca81de3f5fbb0f49d58a1c55688043258", "tags": ["x_refsource_MISC", "x_transferred"], "url": "https://github.com/vitejs/vite/commit/ba5269cca81de3f5fbb0f49d58a1c55688043258"}, {"name": "https://github.com/vitejs/vite/commit/d2db33f7d4b96750b35370c70dd2c35ec3b9b649", "tags": ["x_refsource_MISC", "x_transferred"], "url": "https://github.com/vitejs/vite/commit/d2db33f7d4b96750b35370c70dd2c35ec3b9b649"}]}]}}

{"dataType": "CVE_RECORD", "dataVersion": "5.1", "cveMetadata": {"cveId": "CVE-2024-31207", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "state": "PUBLISHED", "assignerShortName": "GitHub_M", "dateReserved": "2024-03-29T14:16:31.900Z", "datePublished": "2024-04-04T15:51:54.683Z", "dateUpdated": "2024-06-04T17:36:11.128Z"}, "containers": {"cna": {"title": "Vite's `server.fs.deny` did not deny requests for patterns with directories", "problemTypes": [{"descriptions": [{"cweId": "CWE-200", "lang": "en", "description": "CWE-200: Exposure of Sensitive Information to an Unauthorized Actor", "type": "CWE"}]}, {"descriptions": [{"cweId": "CWE-284", "lang": "en", "description": "CWE-284: Improper Access Control", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 5.9, "baseSeverity": "MEDIUM", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N", "version": "3.1"}}], "references": [{"name": "https://github.com/vitejs/vite/security/advisories/GHSA-8jhw-289h-jh2g", "tags": ["x_refsource_CONFIRM"], "url": "https://github.com/vitejs/vite/security/advisories/GHSA-8jhw-289h-jh2g"}, {"name": "https://github.com/vitejs/vite/commit/011bbca350e447d1b499d242804ce62738c12bc0", "tags": ["x_refsource_MISC"], "url": "https://github.com/vitejs/vite/commit/011bbca350e447d1b499d242804ce62738c12bc0"}, {"name": "https://github.com/vitejs/vite/commit/5a056dd2fc80dbafed033062fe6aaf4717309f48", "tags": ["x_refsource_MISC"], "url": "https://github.com/vitejs/vite/commit/5a056dd2fc80dbafed033062fe6aaf4717309f48"}, {"name": "https://github.com/vitejs/vite/commit/89c7c645f09d16a38f146ef4a1528f218e844d67", "tags": ["x_refsource_MISC"], "url": "https://github.com/vitejs/vite/commit/89c7c645f09d16a38f146ef4a1528f218e844d67"}, {"name": "https://github.com/vitejs/vite/commit/96a7f3a41ef2f9351c46f3ab12489bb4efa03cc9", "tags": ["x_refsource_MISC"], "url": "https://github.com/vitejs/vite/commit/96a7f3a41ef2f9351c46f3ab12489bb4efa03cc9"}, {"name": "https://github.com/vitejs/vite/commit/ba5269cca81de3f5fbb0f49d58a1c55688043258", "tags": ["x_refsource_MISC"], "url": "https://github.com/vitejs/vite/commit/ba5269cca81de3f5fbb0f49d58a1c55688043258"}, {"name": "https://github.com/vitejs/vite/commit/d2db33f7d4b96750b35370c70dd2c35ec3b9b649", "tags": ["x_refsource_MISC"], "url": "https://github.com/vitejs/vite/commit/d2db33f7d4b96750b35370c70dd2c35ec3b9b649"}], "affected": [{"vendor": "vitejs", "product": "vite", "versions": [{"version": ">= 2.7.0, <= 2.9.17", "status": "affected"}, {"version": ">= 3.0.0, <= 3.2.8", "status": "affected"}, {"version": ">= 4.0.0, <= 4.5.2", "status": "affected"}, {"version": ">= 5.0.0, <= 5.0.12", "status": "affected"}, {"version": ">= 5.1.0, <= 5.1.6", "status": "affected"}, {"version": ">= 5.2.0, <= 5.2.5", "status": "affected"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2024-04-04T15:51:54.683Z"}, "descriptions": [{"lang": "en", "value": "Vite (French word for \"quick\", pronounced /vit/, like \"veet\") is a frontend build tooling to improve the frontend development experience.`server.fs.deny` does not deny requests for patterns with directories. This vulnerability has been patched in version(s) 5.2.6, 5.1.7, 5.0.13, 4.5.3, 3.2.10 and 2.9.18."}], "source": {"advisory": "GHSA-8jhw-289h-jh2g", "discovery": "UNKNOWN"}}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2024-31207", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2024-04-04T17:23:36.781933Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2024-05-23T19:01:22.140Z"}, "title": "CISA ADP Vulnrichment"}]}}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "Vite (French word for \"quick\", pronounced /vit/, like \"veet\") is a frontend build tooling to improve the frontend development experience.`server.fs.deny` does not deny requests for patterns with directories. This vulnerability has been patched in version(s) 5.2.6, 5.1.7, 5.0.13, 4.5.3, 3.2.10 and 2.9.18."}, {"lang": "es", "value": "Vite (palabra francesa para \"r\u00e1pido\", pronunciada /vit/, como \"veet\") es una herramienta de construcci\u00f3n de frontend para mejorar la experiencia de desarrollo de frontend. `server.fs.deny` no niega solicitudes de patrones con directorios. Esta vulnerabilidad ha sido parcheada en las versiones 5.2.6, 5.1.7, 5.0.13, 4.5.3, 3.2.10 y 2.9.18."}], "id": "CVE-2024-31207", "lastModified": "2024-04-04T16:33:06.610", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 5.9, "baseSeverity": "MEDIUM", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N", "version": "3.1"}, "exploitabilityScore": 2.2, "impactScore": 3.6, "source": "security-advisories@github.com", "type": "Secondary"}]}, "published": "2024-04-04T16:15:09.333", "references": [{"source": "security-advisories@github.com", "url": "https://github.com/vitejs/vite/commit/011bbca350e447d1b499d242804ce62738c12bc0"}, {"source": "security-advisories@github.com", "url": "https://github.com/vitejs/vite/commit/5a056dd2fc80dbafed033062fe6aaf4717309f48"}, {"source": "security-advisories@github.com", "url": "https://github.com/vitejs/vite/commit/89c7c645f09d16a38f146ef4a1528f218e844d67"}, {"source": "security-advisories@github.com", "url": "https://github.com/vitejs/vite/commit/96a7f3a41ef2f9351c46f3ab12489bb4efa03cc9"}, {"source": "security-advisories@github.com", "url": "https://github.com/vitejs/vite/commit/ba5269cca81de3f5fbb0f49d58a1c55688043258"}, {"source": "security-advisories@github.com", "url": "https://github.com/vitejs/vite/commit/d2db33f7d4b96750b35370c70dd2c35ec3b9b649"}, {"source": "security-advisories@github.com", "url": "https://github.com/vitejs/vite/security/advisories/GHSA-8jhw-289h-jh2g"}], "sourceIdentifier": "security-advisories@github.com", "vulnStatus": "Awaiting Analysis", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-200"}, {"lang": "en", "value": "CWE-284"}], "source": "security-advisories@github.com", "type": "Secondary"}]}

{"bugzilla": {"description": "vitejs: \"server.fs.deny\" configuration does not deny requests that include patterns", "id": "2273531", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2273531"}, "csaw": false, "cvss3": {"cvss3_base_score": "5.9", "cvss3_scoring_vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N", "status": "draft"}, "cwe": "(CWE-200|CWE-284)", "details": ["Vite (French word for \"quick\", pronounced /vit/, like \"veet\") is a frontend build tooling to improve the frontend development experience.`server.fs.deny` does not deny requests for patterns with directories. This vulnerability has been patched in version(s) 5.2.6, 5.1.7, 5.0.13, 4.5.3, 3.2.10 and 2.9.18.", "A flaw was found in the Node.js Vite package. When configuring the \"server.fs.deny\" server option to deny requests that include a pattern with directories such as /foo/**/*, the requests were still being allowed. This can potentially expose files or directories containing sensitive information. Only apps setting a custom \"server.fs.deny\" that includes a pattern with directories, and explicitly exposing the Vite dev server to the network using --host or server.host config option are affected."], "mitigation": {"lang": "en:us", "value": "Mitigation for this issue is either not available or the currently available options don't meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base or stability."}, "name": "CVE-2024-31207", "package_state": [{"cpe": "cpe:/a:redhat:ansible_automation_platform:2", "fix_state": "Not affected", "package_name": "automation-controller", "product_name": "Red Hat Ansible Automation Platform 2"}, {"cpe": "cpe:/a:redhat:build_keycloak:", "fix_state": "Not affected", "package_name": "org.keycloak-keycloak-parent", "product_name": "Red Hat Build of Keycloak"}, {"cpe": "cpe:/a:redhat:jboss_enterprise_application_platform:8", "fix_state": "Not affected", "package_name": "org.keycloak-keycloak-parent", "product_name": "Red Hat JBoss Enterprise Application Platform 8"}], "public_date": "2024-04-04T00:00:00Z", "references": ["https://www.cve.org/CVERecord?id=CVE-2024-31207\nhttps://nvd.nist.gov/vuln/detail/CVE-2024-31207"], "statement": "This issue is considered of moderate severity due to its potential to expose sensitive files or directories under specific conditions. The vulnerability arises when a custom server.fs.deny pattern including directories, such as /foo/**/*, fails to block access as intended. This flaw can only be exploited if the Vite dev server is explicitly exposed to the network via the --host or server.host options. Therefore, the issue requires both a specific server configuration and intentional network exposure, which mitigates the likelihood of widespread exploitation but still poses a significant risk in environments where these conditions are met, potentially leading to unauthorized access to sensitive data.", "threat_severity": "Moderate", "upstream_fix": "vite 5.2.6, vite 5.1.7, vite 5.0.13, vite 4.5.3, vite 3.2.10, vite 2.9.18"}