Описание
Vite (French word for "quick", pronounced /vit/, like "veet") is a frontend build tooling to improve the frontend development experience.server.fs.deny does not deny requests for patterns with directories. This vulnerability has been patched in version(s) 5.2.6, 5.1.7, 5.0.13, 4.5.3, 3.2.10 and 2.9.18.
A flaw was found in the Node.js Vite package. When configuring the "server.fs.deny" server option to deny requests that include a pattern with directories such as /foo/**/*, the requests were still being allowed. This can potentially expose files or directories containing sensitive information. Only apps setting a custom "server.fs.deny" that includes a pattern with directories, and explicitly exposing the Vite dev server to the network using --host or server.host config option are affected.
Отчет
This issue is considered of moderate severity due to its potential to expose sensitive files or directories under specific conditions. The vulnerability arises when a custom server.fs.deny pattern including directories, such as /foo/**/*, fails to block access as intended. This flaw can only be exploited if the Vite dev server is explicitly exposed to the network via the --host or server.host options. Therefore, the issue requires both a specific server configuration and intentional network exposure, which mitigates the likelihood of widespread exploitation but still poses a significant risk in environments where these conditions are met, potentially leading to unauthorized access to sensitive data.
Меры по смягчению последствий
Mitigation for this issue is either not available or the currently available options don't meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base or stability.
Затронутые пакеты
| Платформа | Пакет | Состояние | Рекомендация | Релиз |
|---|---|---|---|---|
| Red Hat Ansible Automation Platform 2 | automation-controller | Not affected | ||
| Red Hat Build of Keycloak | org.keycloak-keycloak-parent | Not affected | ||
| Red Hat JBoss Enterprise Application Platform 8 | org.keycloak-keycloak-parent | Not affected |
Показывать по
Дополнительная информация
Статус:
5.9 Medium
CVSS3
Связанные уязвимости
Vite (French word for "quick", pronounced /vit/, like "veet") is a frontend build tooling to improve the frontend development experience.`server.fs.deny` does not deny requests for patterns with directories. This vulnerability has been patched in version(s) 5.2.6, 5.1.7, 5.0.13, 4.5.3, 3.2.10 and 2.9.18.
Vite's `server.fs.deny` did not deny requests for patterns with directories.
Уязвимость локального сервера разработки приложений Vite, связанная с недостатками контроля доступа, позволяющая нарушителю выполнить произвольный код
5.9 Medium
CVSS3