CVE-2023-34092
Summary
| CVE | CVE-2023-34092 |
|---|---|
| State | PUBLIC |
| Assigner | [email protected] |
| Source Priority | CVE Program / NVD first with legacy fallback |
| Published | 2023-06-01 17:15:00 UTC |
| Updated | 2023-06-09 16:03:00 UTC |
| Description | Vite provides frontend tooling. Prior to versions 2.9.16, 3.2.7, 4.0.5, 4.1.5, 4.2.3, and 4.3.9, Vite Server Options (`server.fs.deny`) can be bypassed using double forward-slash (//) allows any unauthenticated user to read file from the Vite root-path of the application including the default `fs.deny` settings (`['.env', '.env.*', '*.{crt,pem}']`). Only users explicitly exposing the Vite dev server to the network (using `--host` or `server.host` config option) are affected, and only files in the immediate Vite project root folder could be exposed. This issue is fixed in [email protected], [email protected], [email protected], [email protected], [email protected], and [email protected]. |
Risk And Classification
Problem Types: CWE-706
NVD Known Affected Configurations (CPE 2.3)
References
| Reference | Source | Link | Tags |
|---|---|---|---|
| Vite Server Options (server.fs.deny) can be bypassed using double forward-slash (//) · Advisory · vitejs/vite · GitHub | MISC | github.com | |
| fix: fs.deny with leading double slash by patak-dev · Pull Request #13348 · vitejs/vite · GitHub | MISC | github.com | |
| fix: fs.deny with leading double slash (#13348) · vitejs/vite@813ddd6 · GitHub | MISC | github.com | |
| CVE Program record | CVE.ORG | www.cve.org | canonical |
| NVD vulnerability detail | NVD | nvd.nist.gov | canonical, analysis |
No vendor comments have been submitted for this CVE.
Legacy QID Mappings
- 996771 NodeJs (Npm) Security Update for vite (GHSA-c24v-8rfc-w8vw)