Improper Access Control Affecting org.webjars.npm:vite package, versions [,5.4.9)


Severity

Recommended
0.0
medium
0
10

CVSS assessment made by Snyk's Security Team. Learn more

Threat Intelligence

Exploit Maturity
Proof of concept
EPSS
0.04% (12th percentile)

Do your applications use this vulnerable package?

In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.

Test your applications
  • Snyk IDSNYK-JAVA-ORGWEBJARSNPM-6591099
  • published15 Apr 2024
  • disclosed3 Apr 2024
  • creditjtmcdole

Introduced: 3 Apr 2024

CVE-2024-31207  (opens in a new tab)
CWE-200  (opens in a new tab)
CWE-284  (opens in a new tab)

How to fix?

Upgrade org.webjars.npm:vite to version 5.4.9 or higher.

Overview

org.webjars.npm:vite is a Native-ESM powered web dev build tool

Affected versions of this package are vulnerable to Improper Access Control due to improper request handling through server.fs.deny configuration, which fails to deny requests for patterns with directories. This misconfiguration allows an attacker to bypass intended access restrictions and retrieve sensitive files from the server by crafting specific requests.

Note:

Only apps setting a custom server.fs.deny that includes a pattern with directories and explicitly exposing the Vite dev server to the network (using --host or server.host config option) are affected.

PoC

Set fs.deny to ['**/.git/**'] and then curl for /.git/config.

with matchBase: true, you can get any file under .git/ (config, HEAD, etc).

CVSS Scores

version 3.1