{"dataType": "CVE_RECORD", "dataVersion": "5.1", "cveMetadata": {"cveId": "CVE-2024-45811", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "state": "PUBLISHED", "assignerShortName": "GitHub_M", "dateReserved": "2024-09-09T14:23:07.505Z", "datePublished": "2024-09-17T20:08:11.801Z", "dateUpdated": "2024-09-18T14:06:21.732Z"}, "containers": {"cna": {"title": "server.fs.deny bypassed when using ?import&raw in vite", "problemTypes": [{"descriptions": [{"cweId": "CWE-200", "lang": "en", "description": "CWE-200: Exposure of Sensitive Information to an Unauthorized Actor", "type": "CWE"}]}, {"descriptions": [{"cweId": "CWE-284", "lang": "en", "description": "CWE-284: Improper Access Control", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"attackComplexity": "HIGH", "attackVector": "ADJACENT_NETWORK", "availabilityImpact": "NONE", "baseScore": 4.8, "baseSeverity": "MEDIUM", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:A/AC:H/PR:N/UI:R/S:U/C:H/I:N/A:N", "version": "3.1"}}], "references": [{"name": "https://github.com/vitejs/vite/security/advisories/GHSA-9cwx-2883-4wfx", "tags": ["x_refsource_CONFIRM"], "url": "https://github.com/vitejs/vite/security/advisories/GHSA-9cwx-2883-4wfx"}, {"name": "https://github.com/vitejs/vite/commit/6820bb3b9a54334f3268fc5ee1e967d2e1c0db34", "tags": ["x_refsource_MISC"], "url": "https://github.com/vitejs/vite/commit/6820bb3b9a54334f3268fc5ee1e967d2e1c0db34"}], "affected": [{"vendor": "vitejs", "product": "vite", "versions": [{"version": ">= 5.4.0, < 5.4.6", "status": "affected"}, {"version": ">= 5.3.0, < 5.3.6", "status": "affected"}, {"version": ">= 5.0.0, < 5.2.14", "status": "affected"}, {"version": ">= 4.0.0, < 4.5.5", "status": "affected"}, {"version": "< 3.2.11", "status": "affected"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2024-09-17T20:08:11.801Z"}, "descriptions": [{"lang": "en", "value": "Vite a frontend build tooling framework for javascript. In affected versions the contents of arbitrary files can be returned to the browser. `@fs` denies access to files outside of Vite serving allow list. Adding `?import&raw` to the URL bypasses this limitation and returns the file content if it exists. This issue has been patched in versions 5.4.6, 5.3.6, 5.2.14, 4.5.5, and 3.2.11. Users are advised to upgrade. There are no known workarounds for this vulnerability."}], "source": {"advisory": "GHSA-9cwx-2883-4wfx", "discovery": "UNKNOWN"}}, "adp": [{"affected": [{"vendor": "vitejs", "product": "vite", "cpes": ["cpe:2.3:a:vitejs:vite:*:*:*:*:*:node.js:*:*"], "defaultStatus": "unknown", "versions": [{"version": "5.4.0", "status": "affected", "lessThan": "5.4.6", "versionType": "custom"}, {"version": "5.3.0", "status": "affected", "lessThan": "5.3.6", "versionType": "custom"}, {"version": "5.0.0", "status": "affected", "lessThan": "5.2.14", "versionType": "custom"}, {"version": "4.0.0", "status": "affected", "lessThan": "4.5.5", "versionType": "custom"}, {"version": "0", "status": "affected", "lessThan": "3.2.11", "versionType": "custom"}]}], "metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2024-09-18T13:59:58.812671Z", "id": "CVE-2024-45811", "options": [{"Exploitation": "poc"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2024-09-18T14:06:21.732Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2024-45811", "role": "CISA Coordinator", "options": [{"Exploitation": "poc"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2024-09-18T13:59:58.812671Z"}}}], "affected": [{"cpes": ["cpe:2.3:a:vitejs:vite:*:*:*:*:*:node.js:*:*"], "vendor": "vitejs", "product": "vite", "versions": [{"status": "affected", "version": "5.4.0", "lessThan": "5.4.6", "versionType": "custom"}, {"status": "affected", "version": "5.3.0", "lessThan": "5.3.6", "versionType": "custom"}, {"status": "affected", "version": "5.0.0", "lessThan": "5.2.14", "versionType": "custom"}, {"status": "affected", "version": "4.0.0", "lessThan": "4.5.5", "versionType": "custom"}, {"status": "affected", "version": "0", "lessThan": "3.2.11", "versionType": "custom"}], "defaultStatus": "unknown"}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2024-09-18T14:06:08.284Z"}}], "cna": {"title": "server.fs.deny bypassed when using ?import&raw in vite", "source": {"advisory": "GHSA-9cwx-2883-4wfx", "discovery": "UNKNOWN"}, "metrics": [{"cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 4.8, "attackVector": "ADJACENT_NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:A/AC:H/PR:N/UI:R/S:U/C:H/I:N/A:N", "integrityImpact": "NONE", "userInteraction": "REQUIRED", "attackComplexity": "HIGH", "availabilityImpact": "NONE", "privilegesRequired": "NONE", "confidentialityImpact": "HIGH"}}], "affected": [{"vendor": "vitejs", "product": "vite", "versions": [{"status": "affected", "version": ">= 5.4.0, < 5.4.6"}, {"status": "affected", "version": ">= 5.3.0, < 5.3.6"}, {"status": "affected", "version": ">= 5.0.0, < 5.2.14"}, {"status": "affected", "version": ">= 4.0.0, < 4.5.5"}, {"status": "affected", "version": "< 3.2.11"}]}], "references": [{"url": "https://github.com/vitejs/vite/security/advisories/GHSA-9cwx-2883-4wfx", "name": "https://github.com/vitejs/vite/security/advisories/GHSA-9cwx-2883-4wfx", "tags": ["x_refsource_CONFIRM"]}, {"url": "https://github.com/vitejs/vite/commit/6820bb3b9a54334f3268fc5ee1e967d2e1c0db34", "name": "https://github.com/vitejs/vite/commit/6820bb3b9a54334f3268fc5ee1e967d2e1c0db34", "tags": ["x_refsource_MISC"]}], "descriptions": [{"lang": "en", "value": "Vite a frontend build tooling framework for javascript. In affected versions the contents of arbitrary files can be returned to the browser. `@fs` denies access to files outside of Vite serving allow list. Adding `?import&raw` to the URL bypasses this limitation and returns the file content if it exists. This issue has been patched in versions 5.4.6, 5.3.6, 5.2.14, 4.5.5, and 3.2.11. Users are advised to upgrade. There are no known workarounds for this vulnerability."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-200", "description": "CWE-200: Exposure of Sensitive Information to an Unauthorized Actor"}]}, {"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-284", "description": "CWE-284: Improper Access Control"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2024-09-17T20:08:11.801Z"}}}, "cveMetadata": {"cveId": "CVE-2024-45811", "state": "PUBLISHED", "dateUpdated": "2024-09-18T14:06:21.732Z", "dateReserved": "2024-09-09T14:23:07.505Z", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "datePublished": "2024-09-17T20:08:11.801Z", "assignerShortName": "GitHub_M"}, "dataVersion": "5.1"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "Vite a frontend build tooling framework for javascript. In affected versions the contents of arbitrary files can be returned to the browser. `@fs` denies access to files outside of Vite serving allow list. Adding `?import&raw` to the URL bypasses this limitation and returns the file content if it exists. This issue has been patched in versions 5.4.6, 5.3.6, 5.2.14, 4.5.5, and 3.2.11. Users are advised to upgrade. There are no known workarounds for this vulnerability."}, {"lang": "es", "value": "Vite es un framework de herramientas de compilaci\u00f3n de interfaz para JavaScript. En las versiones afectadas, el contenido de archivos arbitrarios se puede devolver al navegador. `@fs` niega el acceso a archivos fuera de la lista de permitidos de Vite. Agregar `?import&amp;raw` a la URL evita esta limitaci\u00f3n y devuelve el contenido del archivo si existe. Este problema se ha corregido en las versiones 5.4.6, 5.3.6, 5.2.14, 4.5.5 y 3.2.11. Se recomienda a los usuarios que actualicen. No existen workarounds para esta vulnerabilidad."}], "id": "CVE-2024-45811", "lastModified": "2024-09-20T12:30:51.220", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "HIGH", "attackVector": "ADJACENT_NETWORK", "availabilityImpact": "NONE", "baseScore": 4.8, "baseSeverity": "MEDIUM", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:A/AC:H/PR:N/UI:R/S:U/C:H/I:N/A:N", "version": "3.1"}, "exploitabilityScore": 1.2, "impactScore": 3.6, "source": "security-advisories@github.com", "type": "Secondary"}]}, "published": "2024-09-17T20:15:05.800", "references": [{"source": "security-advisories@github.com", "url": "https://github.com/vitejs/vite/commit/6820bb3b9a54334f3268fc5ee1e967d2e1c0db34"}, {"source": "security-advisories@github.com", "url": "https://github.com/vitejs/vite/security/advisories/GHSA-9cwx-2883-4wfx"}], "sourceIdentifier": "security-advisories@github.com", "vulnStatus": "Awaiting Analysis", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-200"}, {"lang": "en", "value": "CWE-284"}], "source": "security-advisories@github.com", "type": "Primary"}]}

{"bugzilla": {"description": "vite: server.fs.deny is bypassed when using `?import&raw`", "id": "2312930", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2312930"}, "csaw": false, "cvss3": {"cvss3_base_score": "4.8", "cvss3_scoring_vector": "CVSS:3.1/AV:A/AC:H/PR:N/UI:R/S:U/C:H/I:N/A:N", "status": "draft"}, "cwe": "(CWE-200|CWE-284)", "details": ["Vite a frontend build tooling framework for javascript. In affected versions the contents of arbitrary files can be returned to the browser. `@fs` denies access to files outside of Vite serving allow list. Adding `?import&raw` to the URL bypasses this limitation and returns the file content if it exists. This issue has been patched in versions 5.4.6, 5.3.6, 5.2.14, 4.5.5, and 3.2.11. Users are advised to upgrade. There are no known workarounds for this vulnerability.", "A flaw was found in ViteJS. `@fs` denies access to files outside of Vite serving allow list. Adding `?import&raw` to the URL bypasses this limitation and returns the file content if it exists, which can allow an attacker to access arbitrary files via the browser."], "mitigation": {"lang": "en:us", "value": "Mitigation for this issue is either not available or the currently available options do not meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base or stability."}, "name": "CVE-2024-45811", "package_state": [{"cpe": "cpe:/a:redhat:ansible_automation_platform:2", "fix_state": "Affected", "package_name": "automation-controller", "product_name": "Red Hat Ansible Automation Platform 2"}, {"cpe": "cpe:/a:redhat:ansible_automation_platform:2", "fix_state": "Not affected", "package_name": "automation-eda-controller", "product_name": "Red Hat Ansible Automation Platform 2"}, {"cpe": "cpe:/a:redhat:jboss_enterprise_application_platform:8", "fix_state": "Not affected", "package_name": "vite", "product_name": "Red Hat JBoss Enterprise Application Platform 8"}, {"cpe": "cpe:/a:redhat:openshift_distributed_tracing:3", "fix_state": "Not affected", "package_name": "rhosdt/jaeger-agent-rhel8", "product_name": "Red Hat OpenShift distributed tracing 3"}, {"cpe": "cpe:/a:redhat:openshift_distributed_tracing:3", "fix_state": "Affected", "package_name": "rhosdt/jaeger-all-in-one-rhel8", "product_name": "Red Hat OpenShift distributed tracing 3"}, {"cpe": "cpe:/a:redhat:openshift_distributed_tracing:3", "fix_state": "Not affected", "package_name": "rhosdt/jaeger-collector-rhel8", "product_name": "Red Hat OpenShift distributed tracing 3"}, {"cpe": "cpe:/a:redhat:openshift_distributed_tracing:3", "fix_state": "Not affected", "package_name": "rhosdt/jaeger-es-index-cleaner-rhel8", "product_name": "Red Hat OpenShift distributed tracing 3"}, {"cpe": "cpe:/a:redhat:openshift_distributed_tracing:3", "fix_state": "Not affected", "package_name": "rhosdt/jaeger-es-rollover-rhel8", "product_name": "Red Hat OpenShift distributed tracing 3"}, {"cpe": "cpe:/a:redhat:openshift_distributed_tracing:3", "fix_state": "Not affected", "package_name": "rhosdt/jaeger-ingester-rhel8", "product_name": "Red Hat OpenShift distributed tracing 3"}, {"cpe": "cpe:/a:redhat:openshift_distributed_tracing:3", "fix_state": "Affected", "package_name": "rhosdt/jaeger-query-rhel8", "product_name": "Red Hat OpenShift distributed tracing 3"}], "public_date": "2024-09-17T18:44:12Z", "references": ["https://www.cve.org/CVERecord?id=CVE-2024-45811\nhttps://nvd.nist.gov/vuln/detail/CVE-2024-45811\nhttps://github.com/vitejs/vite\nhttps://github.com/vitejs/vite/commit/4573a6fd6f1b097fb7296a3e135e0646b996b249\nhttps://github.com/vitejs/vite/commit/6820bb3b9a54334f3268fc5ee1e967d2e1c0db34\nhttps://github.com/vitejs/vite/commit/8339d7408668686bae56eaccbfdc7b87612904bd\nhttps://github.com/vitejs/vite/commit/a6da45082b6e73ddfdcdcc06bb5414f976a388d6\nhttps://github.com/vitejs/vite/commit/b901438f99e667f76662840826eec91c8ab3b3e7\nhttps://github.com/vitejs/vite/security/advisories/GHSA-9cwx-2883-4wfx"], "statement": "This vulnerability is classified as moderate rather than high severity because it requires specific conditions for exploitation. The attacker must have access to the Vite server, which typically runs in a local development environment rather than in production. Additionally, the bypass allows file access only if the file path is already known or predictable, limiting the attacker's ability to arbitrarily explore the file system. While it exposes file content outside the Vite serving allow list, the scope of access is constrained, and the impact can be mitigated by proper server configurations and deployment practices.", "threat_severity": "Moderate"}