CVE-2024-23331Improper Handling of Case Sensitivity in Vite

CWE-178Improper Handling of Case SensitivityCWE-200Sensitive Information ExposureCWE-284Improper Access Control3 documents3 sources
Severity
7.5HIGHNVD
EPSS
0.5%
top 34.92%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
1
Vitejs Vite
Timeline
PublishedJan 19

Description

Vite is a frontend tooling framework for javascript. The Vite dev server option `server.fs.deny` can be bypassed on case-insensitive file systems using case-augmented versions of filenames. Notably this affects servers hosted on Windows. This bypass is similar to CVE-2023-34092 -- with surface area reduced to hosts having case-insensitive filesystems. Since `picomatch` defaults to case-sensitive glob matching, but the file server doesn't discriminate; a blacklist bypass is possible. By requestin

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:NExploitability: 3.9 | Impact: 3.6

Affected Packages2 packages

NVDvitejs/vite2.7.02.9.17+3
npmvitejs/vite2.7.02.9.17+3

Patches

Patch: github.comPatch: github.com

🔴Vulnerability Details

2
OSV
Vite dev server option `server.fs.deny` can be bypassed when hosted on case-insensitive filesystem2024-01-19
GHSA
Vite dev server option `server.fs.deny` can be bypassed when hosted on case-insensitive filesystem2024-01-19