Improper Access Control Affecting org.webjars.npm:vite package, versions [,5.4.9)
Threat Intelligence
Do your applications use this vulnerable package?
In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.
Test your applications- Snyk ID SNYK-JAVA-ORGWEBJARSNPM-6591099
- published 15 Apr 2024
- disclosed 3 Apr 2024
- credit jtmcdole
How to fix?
Upgrade org.webjars.npm:vite
to version 5.4.9 or higher.
Overview
org.webjars.npm:vite is a Native-ESM powered web dev build tool
Affected versions of this package are vulnerable to Improper Access Control due to improper request handling through server.fs.deny
configuration, which fails to deny requests for patterns with directories. This misconfiguration allows an attacker to bypass intended access restrictions and retrieve sensitive files from the server by crafting specific requests.
Note:
Only apps setting a custom server.fs.deny
that includes a pattern with directories and explicitly exposing the Vite dev server to the network (using --host
or server.host config option) are affected.
PoC
Set fs.deny to ['**/.git/**']
and then curl for /.git/config
.
with matchBase: true
, you can get any file under .git/
(config, HEAD, etc).