cbcvebase.
CVE-2024-48914
published 2024-10-15

CVE-2024-48914: Vendure is an open-source headless commerce platform. Prior to versions 3.0.5 and 2.3.3, a vulnerability in Vendure's asset server plugin allows an attacker to…

PriorityP187critical9.1CVSS 3.1
AVNACLPRNUINSUCHINAH
ITWEXPLOITVulnCheck KEV
Exploited in the wild
EPSS
59.80%
99.0th percentile
Vendure is an open-source headless commerce platform. Prior to versions 3.0.5 and 2.3.3, a vulnerability in Vendure's asset server plugin allows an attacker to craft a request which is able to traverse the server file system and retrieve the contents of arbitrary files, including sensitive data such as configuration files, environment variables, and other critical data stored on the server. In the same code path is an additional vector for crashing the server via a malformed URI. Patches are available in versions 3.0.5 and 2.3.3. Some workarounds are also available. One may use object storage rather than the local file system, e.g. MinIO or S3, or define middleware which detects and blocks requests with urls containing `/../`.

Affected

4 ranges
VendorProductVersion rangeFixed in
vendure-ecommercevendure< 2.3.32.3.3
vendure-ecommercevendure
vendureasset-server-plugin>= 0 < 2.3.32.3.3
vendureasset-server-plugin>= 3.0.0 < 3.0.53.0.5

Detection & IOCsextracted from sources · hover to see the quote

path/assets/../package.json
  • Detect path traversal attempts targeting Vendure's asset server plugin by matching HTTP requests containing '/../' in the URL path
  • A successful exploit response will return HTTP 200 with Content-Type 'application/octet-stream' and a body containing all of: 'name', 'version', 'main', 'license' (indicative of package.json exfiltration)
  • Exploit is a single unauthenticated GET request; monitor for GET requests to '/assets/' paths that include directory traversal sequences (e.g., '/../') on Vendure instances
  • A malformed URI in the same code path can crash the Vendure server; monitor for unexpected server crashes or 5xx errors following malformed asset requests
  • ·The path traversal vulnerability only affects Vendure instances using the local file system via the asset-server-plugin; deployments using object storage (MinIO, S3) are not affected by the file read vector
  • ·Vulnerable versions are strictly prior to 3.0.5 and 2.3.3; patched versions 3.0.5 and 2.3.3 are not affected

CVSS provenance

nvdv3.19.1CRITICALCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:H
vulncheck9.1CRITICAL
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.