Path Equivalence: '//multiple/leading/slash' in org.webjars.npm:vite
CVE-2023-34092
- org.webjars.npm:vite
- vite
Summary
Vite provides front-end tooling. In versions through 2.9.15, 3.0.2 through 3.2.6, 4.0.0-alpha.0 through 4.0.4, 4.1.0-beta.0 through 4.1.4, 4.2.0-beta.0 through 4.2.2, and 4.3.0-beta.0 through 4.3.8, Vite Server Options (`server.fs.deny`) can be bypassed using double forward-slash (//) allows any unauthenticated user to read file from the Vite root-path of the application including the default `fs.deny` settings (`['.env', '.env.*', '*.{crt,pem}']`). Only users explicitly exposing the Vite dev server to the network (using `--host` or `server.host` config option) are affected, and only files in the immediate Vite project root folder could be exposed.
- LOW
- NETWORK
- NONE
- UNCHANGED
- NONE
- NONE
- HIGH
- NONE
CWE-50 - Path Equivalence: '//multiple/leading/slash'
A software system that accepts path input in the form of multiple leading slash ('//multiple/leading/slash') without appropriate validation can lead to ambiguous path resolution and allow an attacker to traverse the file system to unintended locations or access arbitrary files.
References
Advisory Timeline
- Published
