Vite a frontend build tooling framework for javascript. In affected versions the contents of arbitrary files can be returned to the browser. `@fs` denies access to files outside of Vite serving allow list. Adding `?import&raw` to the URL bypasses this limitation and returns the file content if it exists. This issue has been patched in versions 5.4.6, 5.3.6, 5.2.14, 4.5.5, and 3.2.11. Users are advised to upgrade. There are no known workarounds for this vulnerability.
History

Thu, 12 Dec 2024 02:30:00 +0000

Type Values Removed Values Added
First Time appeared Redhat
Redhat openshift Distributed Tracing
CPEs cpe:/a:redhat:openshift_distributed_tracing:3.4::el8
Vendors & Products Redhat
Redhat openshift Distributed Tracing

Wed, 18 Sep 2024 14:30:00 +0000

Type Values Removed Values Added
First Time appeared Vitejs
Vitejs vite
CPEs cpe:2.3:a:vitejs:vite:*:*:*:*:*:node.js:*:*
Vendors & Products Vitejs
Vitejs vite
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'poc', 'Technical Impact': 'partial'}, 'version': '2.0.3'}


Tue, 17 Sep 2024 23:30:00 +0000


Tue, 17 Sep 2024 20:15:00 +0000

Type Values Removed Values Added
Description Vite a frontend build tooling framework for javascript. In affected versions the contents of arbitrary files can be returned to the browser. `@fs` denies access to files outside of Vite serving allow list. Adding `?import&raw` to the URL bypasses this limitation and returns the file content if it exists. This issue has been patched in versions 5.4.6, 5.3.6, 5.2.14, 4.5.5, and 3.2.11. Users are advised to upgrade. There are no known workarounds for this vulnerability.
Title server.fs.deny bypassed when using ?import&raw in vite
Weaknesses CWE-200
CWE-284
References
Metrics cvssV3_1

{'score': 4.8, 'vector': 'CVSS:3.1/AV:A/AC:H/PR:N/UI:R/S:U/C:H/I:N/A:N'}


cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published: 2024-09-17T20:08:11.801Z

Updated: 2024-09-18T14:06:21.732Z

Reserved: 2024-09-09T14:23:07.505Z

Link: CVE-2024-45811

cve-icon Vulnrichment

Updated: 2024-09-18T14:06:08.284Z

cve-icon NVD

Status : Awaiting Analysis

Published: 2024-09-17T20:15:05.800

Modified: 2024-09-20T12:30:51.220

Link: CVE-2024-45811

cve-icon Redhat

Severity : Moderate

Publid Date: 2024-09-17T18:44:12Z

Links: CVE-2024-45811 - Bugzilla