Описание
Vite a frontend build tooling framework for javascript. In affected versions the contents of arbitrary files can be returned to the browser. @fs denies access to files outside of Vite serving allow list. Adding ?import&raw to the URL bypasses this limitation and returns the file content if it exists. This issue has been patched in versions 5.4.6, 5.3.6, 5.2.14, 4.5.5, and 3.2.11. Users are advised to upgrade. There are no known workarounds for this vulnerability.
A flaw was found in ViteJS. @fs denies access to files outside of Vite serving allow list. Adding ?import&raw to the URL bypasses this limitation and returns the file content if it exists, which can allow an attacker to access arbitrary files via the browser.
Отчет
This vulnerability is classified as moderate rather than high severity because it requires specific conditions for exploitation. The attacker must have access to the Vite server, which typically runs in a local development environment rather than in production. Additionally, the bypass allows file access only if the file path is already known or predictable, limiting the attacker's ability to arbitrarily explore the file system. While it exposes file content outside the Vite serving allow list, the scope of access is constrained, and the impact can be mitigated by proper server configurations and deployment practices.
Меры по смягчению последствий
Mitigation for this issue is either not available or the currently available options do not meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base or stability.
Затронутые пакеты
| Платформа | Пакет | Состояние | Рекомендация | Релиз |
|---|---|---|---|---|
| Red Hat Ansible Automation Platform 2 | automation-controller | Affected | ||
| Red Hat Ansible Automation Platform 2 | automation-eda-controller | Not affected | ||
| Red Hat JBoss Enterprise Application Platform 8 | vite | Not affected | ||
| Red Hat OpenShift distributed tracing 3 | rhosdt/jaeger-agent-rhel8 | Not affected | ||
| Red Hat OpenShift distributed tracing 3 | rhosdt/jaeger-collector-rhel8 | Not affected | ||
| Red Hat OpenShift distributed tracing 3 | rhosdt/jaeger-es-index-cleaner-rhel8 | Not affected | ||
| Red Hat OpenShift distributed tracing 3 | rhosdt/jaeger-es-rollover-rhel8 | Not affected | ||
| Red Hat OpenShift distributed tracing 3 | rhosdt/jaeger-ingester-rhel8 | Not affected | ||
| Red Hat OpenShift distributed tracing 3 | rhosdt/jaeger-query-rhel8 | Affected | ||
| Red Hat OpenShift distributed tracing 3.4 | registry.redhat.io/rhosdt/jaeger-query-rhel8 | Fixed | RHSA-2024:10917 | 10.12.2024 |
Показывать по
Ссылки на источники
Дополнительная информация
Статус:
4.8 Medium
CVSS3
Связанные уязвимости
Vite a frontend build tooling framework for javascript. In affected versions the contents of arbitrary files can be returned to the browser. `@fs` denies access to files outside of Vite serving allow list. Adding `?import&raw` to the URL bypasses this limitation and returns the file content if it exists. This issue has been patched in versions 5.4.6, 5.3.6, 5.2.14, 4.5.5, and 3.2.11. Users are advised to upgrade. There are no known workarounds for this vulnerability.
Vite a frontend build tooling framework for javascript. In affected ve ...
Vite's `server.fs.deny` is bypassed when using `?import&raw`
4.8 Medium
CVSS3