CVE-2024-31207
published 2024-04-04CVE-2024-31207: Vite (French word for "quick", pronounced /vit/, like "veet") is a frontend build tooling to improve the frontend development experience.`server.fs.deny` does…
PriorityP431medium5.9CVSS 3.1
AVNACHPRNUINSUCHINAN
EPSS
0.71%
48.9th percentile
Vite (French word for "quick", pronounced /vit/, like "veet") is a frontend build tooling to improve the frontend development experience.`server.fs.deny` does not deny requests for patterns with directories. This vulnerability has been patched in version(s) 5.2.6, 5.1.7, 5.0.13, 4.5.3, 3.2.10 and 2.9.18.
Affected
12 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| vitejs | vite | — | — |
| vitejs | vite | — | — |
| vitejs | vite | — | — |
| vitejs | vite | — | — |
| vitejs | vite | — | — |
| vitejs | vite | — | — |
| vitejs | vite | >= 2.7.0 < 2.9.18 | 2.9.18 |
| vitejs | vite | >= 3.0.0 < 3.2.10 | 3.2.10 |
| vitejs | vite | >= 4.0.0 < 4.5.3 | 4.5.3 |
| vitejs | vite | >= 5.0.0 < 5.0.13 | 5.0.13 |
| vitejs | vite | >= 5.1.0 < 5.1.7 | 5.1.7 |
| vitejs | vite | >= 5.2.0 < 5.2.6 | 5.2.6 |
CVSS provenance
nvdv3.15.9MEDIUMCVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N
vendor_redhat5.9MEDIUM
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
OSV
Vite's `server.fs.deny` did not deny requests for patterns with directories.
osv·2024-04-03
CVE-2024-31207 [MEDIUM] Vite's `server.fs.deny` did not deny requests for patterns with directories.
Vite's `server.fs.deny` did not deny requests for patterns with directories.
### Summary
[Vite dev server option](https://vitejs.dev/config/server-options.html#server-fs-deny) `server.fs.deny` did not deny requests for patterns with directories. An example of such a pattern is `/foo/**/*`.
### Impact
Only apps setting a custom `server.fs.deny` that includes a pattern with directories, and explicitly exposing the Vite dev server to the network (using `--host` or [`server.host` config option](https://vitejs.dev/config/server-options.html#server-host)) are affected.
### Patches
Fixed in [email protected], [email protected], [email protected], [email protected], [email protected], [email protected]
### Details
`server.fs.deny` uses picomatch with the config of `{ matchBase: true }`. [matchBase](https://github.com/micromatch/pic
GHSA
Vite's `server.fs.deny` did not deny requests for patterns with directories.
ghsa·2024-04-03
CVE-2024-31207 [MEDIUM] CWE-200 Vite's `server.fs.deny` did not deny requests for patterns with directories.
Vite's `server.fs.deny` did not deny requests for patterns with directories.
### Summary
[Vite dev server option](https://vitejs.dev/config/server-options.html#server-fs-deny) `server.fs.deny` did not deny requests for patterns with directories. An example of such a pattern is `/foo/**/*`.
### Impact
Only apps setting a custom `server.fs.deny` that includes a pattern with directories, and explicitly exposing the Vite dev server to the network (using `--host` or [`server.host` config option](https://vitejs.dev/config/server-options.html#server-host)) are affected.
### Patches
Fixed in [email protected], [email protected], [email protected], [email protected], [email protected], [email protected]
### Details
`server.fs.deny` uses picomatch with the config of `{ matchBase: true }`. [matchBase](https://github.com/micromatch/pic
Red Hat
vitejs: "server.fs.deny" configuration does not deny requests that include patterns
vendor_redhat·2024-04-04·CVSS 5.9
CVE-2024-31207 [MEDIUM] CWE-425 vitejs: "server.fs.deny" configuration does not deny requests that include patterns
vitejs: "server.fs.deny" configuration does not deny requests that include patterns
Vite (French word for "quick", pronounced /vit/, like "veet") is a frontend build tooling to improve the frontend development experience.`server.fs.deny` does not deny requests for patterns with directories. This vulnerability has been patched in version(s) 5.2.6, 5.1.7, 5.0.13, 4.5.3, 3.2.10 and 2.9.18.
A flaw was found in the Node.js Vite package. When configuring the "server.fs.deny" server option to deny requests that include a pattern with directories such as /foo/**/*, the requests were still being allowed. This can potentially expose files or directories containing sensitive information. Only apps setting a custom "server.fs.deny" that includes a pattern with directories, and explicitly exposing th
Suricata
ET EXPLOIT Microsoft Exchange Pre-Auth Path Confusion M2 (CVE-2021-31207)
suricata·2021-08-09·CVSS 6.6
CVE-2021-31207 [MEDIUM] ET EXPLOIT Microsoft Exchange Pre-Auth Path Confusion M2 (CVE-2021-31207)
ET EXPLOIT Microsoft Exchange Pre-Auth Path Confusion M2 (CVE-2021-31207)
Rule: alert http any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET EXPLOIT Microsoft Exchange Pre-Auth Path Confusion M2 (CVE-2021-31207)"; flow:established,to_server; flowbits:set,ET.cve.2021.34473; http.uri; content:"/autodiscover?"; nocase; content:"/mapi/nspi"; nocase; distance:0; fast_pattern; http.cookie; content:"Email=autodiscover/"; nocase; reference:cve,2021-31207; classtype:attempted-admin; sid:2033682; rev:3; metadata:affected_product Microsoft_Exchange, attack_target Server, created_at 2021_08_09, cve CVE_2021_31207, deployment Perimeter, deployment Internal, deployment SSLDecrypt, confidence High, signature_severity Major, tag Exploit, tag CISA_KEV, updated_at 2024_03_14, mitre_tactic_id TA0001, mitre_
Suricata
ET EXPLOIT Vulnerable Microsoft Exchange Server Response (CVE-2021-31207)
suricata·2021-08-09·CVSS 6.6
CVE-2021-31207 [MEDIUM] ET EXPLOIT Vulnerable Microsoft Exchange Server Response (CVE-2021-31207)
ET EXPLOIT Vulnerable Microsoft Exchange Server Response (CVE-2021-31207)
Rule: alert http [$HOME_NET,$HTTP_SERVERS] any -> any any (msg:"ET EXPLOIT Vulnerable Microsoft Exchange Server Response (CVE-2021-31207)"; flow:established,to_client; flowbits:isset,ET.cve.2021.34473; http.stat_code; content:"302"; reference:cve,2021-31207; classtype:attempted-admin; sid:2033683; rev:3; metadata:affected_product Microsoft_Exchange, attack_target Server, created_at 2021_08_09, cve CVE_2021_31207, deployment Perimeter, deployment Internal, confidence High, signature_severity Major, tag Exploit, tag CISA_KEV, updated_at 2024_03_14, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1190, mitre_technique_name Exploit_Public_Facing_Application;)
Suricata
ET EXPLOIT Microsoft Exchange Pre-Auth Path Confusion M1 (CVE-2021-31207)
suricata·2021-08-09·CVSS 6.6
CVE-2021-31207 [MEDIUM] ET EXPLOIT Microsoft Exchange Pre-Auth Path Confusion M1 (CVE-2021-31207)
ET EXPLOIT Microsoft Exchange Pre-Auth Path Confusion M1 (CVE-2021-31207)
Rule: alert http any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET EXPLOIT Microsoft Exchange Pre-Auth Path Confusion M1 (CVE-2021-31207)"; flow:established,to_server; flowbits:set,ET.cve.2021.34473; http.uri; content:"/autodiscover"; nocase; fast_pattern; content:"Email=autodiscover/"; nocase; reference:cve,2021-31207; classtype:attempted-admin; sid:2033681; rev:5; metadata:affected_product Microsoft_Exchange, attack_target Server, created_at 2021_08_09, cve CVE_2021_31207, deployment Perimeter, deployment Internal, deployment SSLDecrypt, confidence High, signature_severity Major, tag Exploit, tag CISA_KEV, updated_at 2024_03_14, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1190, mi
No public exploits indexed.
https://github.com/vitejs/vite/commit/011bbca350e447d1b499d242804ce62738c12bc0https://github.com/vitejs/vite/commit/5a056dd2fc80dbafed033062fe6aaf4717309f48https://github.com/vitejs/vite/commit/89c7c645f09d16a38f146ef4a1528f218e844d67https://github.com/vitejs/vite/commit/96a7f3a41ef2f9351c46f3ab12489bb4efa03cc9https://github.com/vitejs/vite/commit/ba5269cca81de3f5fbb0f49d58a1c55688043258https://github.com/vitejs/vite/commit/d2db33f7d4b96750b35370c70dd2c35ec3b9b649https://github.com/vitejs/vite/security/advisories/GHSA-8jhw-289h-jh2ghttps://github.com/vitejs/vite/commit/011bbca350e447d1b499d242804ce62738c12bc0https://github.com/vitejs/vite/commit/5a056dd2fc80dbafed033062fe6aaf4717309f48https://github.com/vitejs/vite/commit/89c7c645f09d16a38f146ef4a1528f218e844d67https://github.com/vitejs/vite/commit/96a7f3a41ef2f9351c46f3ab12489bb4efa03cc9https://github.com/vitejs/vite/commit/ba5269cca81de3f5fbb0f49d58a1c55688043258https://github.com/vitejs/vite/commit/d2db33f7d4b96750b35370c70dd2c35ec3b9b649https://github.com/vitejs/vite/security/advisories/GHSA-8jhw-289h-jh2g
2024-04-04
Published