Vite a frontend build tooling framework for javascript. In affected versions the contents of arbitrary files can be returned to the browser. `@fs` denies access to files outside of Vite serving allow list. Adding `?import&raw` to the URL bypasses this limitation and returns the file content if it exists. This issue has been patched in versions 5.4.6, 5.3.6, 5.2.14, 4.5.5, and 3.2.11. Users are advised to upgrade. There are no known workarounds for this vulnerability.
Metrics
Affected Vendors & Products
References
History
Thu, 12 Dec 2024 02:30:00 +0000
Type | Values Removed | Values Added |
---|---|---|
First Time appeared |
Redhat
Redhat openshift Distributed Tracing |
|
CPEs | cpe:/a:redhat:openshift_distributed_tracing:3.4::el8 | |
Vendors & Products |
Redhat
Redhat openshift Distributed Tracing |
Wed, 18 Sep 2024 14:30:00 +0000
Type | Values Removed | Values Added |
---|---|---|
First Time appeared |
Vitejs
Vitejs vite |
|
CPEs | cpe:2.3:a:vitejs:vite:*:*:*:*:*:node.js:*:* | |
Vendors & Products |
Vitejs
Vitejs vite |
|
Metrics |
ssvc
|
Tue, 17 Sep 2024 23:30:00 +0000
Tue, 17 Sep 2024 20:15:00 +0000
Type | Values Removed | Values Added |
---|---|---|
Description | Vite a frontend build tooling framework for javascript. In affected versions the contents of arbitrary files can be returned to the browser. `@fs` denies access to files outside of Vite serving allow list. Adding `?import&raw` to the URL bypasses this limitation and returns the file content if it exists. This issue has been patched in versions 5.4.6, 5.3.6, 5.2.14, 4.5.5, and 3.2.11. Users are advised to upgrade. There are no known workarounds for this vulnerability. | |
Title | server.fs.deny bypassed when using ?import&raw in vite | |
Weaknesses | CWE-200 CWE-284 |
|
References |
| |
Metrics |
cvssV3_1
|
MITRE
Status: PUBLISHED
Assigner: GitHub_M
Published: 2024-09-17T20:08:11.801Z
Updated: 2024-09-18T14:06:21.732Z
Reserved: 2024-09-09T14:23:07.505Z
Link: CVE-2024-45811
Vulnrichment
Updated: 2024-09-18T14:06:08.284Z
NVD
Status : Awaiting Analysis
Published: 2024-09-17T20:15:05.800
Modified: 2024-09-20T12:30:51.220
Link: CVE-2024-45811
Redhat