CVE-2024-48914
published 2024-10-15CVE-2024-48914: Vendure is an open-source headless commerce platform. Prior to versions 3.0.5 and 2.3.3, a vulnerability in Vendure's asset server plugin allows an attacker to…
PriorityP187critical9.1CVSS 3.1
AVNACLPRNUINSUCHINAH
ITWEXPLOITVulnCheck KEV
Exploited in the wild
EPSS
59.80%
99.0th percentile
Vendure is an open-source headless commerce platform. Prior to versions 3.0.5 and 2.3.3, a vulnerability in Vendure's asset server plugin allows an attacker to craft a request which is able to traverse the server file system and retrieve the contents of arbitrary files, including sensitive data such as configuration files, environment variables, and other critical data stored on the server. In the same code path is an additional vector for crashing the server via a malformed URI. Patches are available in versions 3.0.5 and 2.3.3. Some workarounds are also available. One may use object storage rather than the local file system, e.g. MinIO or S3, or define middleware which detects and blocks requests with urls containing `/../`.
Affected
4 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| vendure-ecommerce | vendure | < 2.3.3 | 2.3.3 |
| vendure-ecommerce | vendure | — | — |
| vendure | asset-server-plugin | >= 0 < 2.3.3 | 2.3.3 |
| vendure | asset-server-plugin | >= 3.0.0 < 3.0.5 | 3.0.5 |
Detection & IOCsextracted from sources · hover to see the quote
- →Detect path traversal attempts targeting Vendure's asset server plugin by matching HTTP requests containing '/../' in the URL path ↗
- →A successful exploit response will return HTTP 200 with Content-Type 'application/octet-stream' and a body containing all of: 'name', 'version', 'main', 'license' (indicative of package.json exfiltration) ↗
- →Exploit is a single unauthenticated GET request; monitor for GET requests to '/assets/' paths that include directory traversal sequences (e.g., '/../') on Vendure instances ↗
- →A malformed URI in the same code path can crash the Vendure server; monitor for unexpected server crashes or 5xx errors following malformed asset requests ↗
- ·The path traversal vulnerability only affects Vendure instances using the local file system via the asset-server-plugin; deployments using object storage (MinIO, S3) are not affected by the file read vector ↗
- ·Vulnerable versions are strictly prior to 3.0.5 and 2.3.3; patched versions 3.0.5 and 2.3.3 are not affected ↗
CVSS provenance
nvdv3.19.1CRITICALCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:H
vulncheck9.1CRITICAL
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
Vendure asset server plugin has local file read vulnerability with AssetServerPlugin & LocalAssetStorageStrategy
ghsa·2024-10-15
CVE-2024-48914 [CRITICAL] CWE-20 Vendure asset server plugin has local file read vulnerability with AssetServerPlugin & LocalAssetStorageStrategy
Vendure asset server plugin has local file read vulnerability with AssetServerPlugin & LocalAssetStorageStrategy
# Description
## Path traversal
This vulnerability allows an attacker to craft a request which is able to traverse the server file system and retrieve the contents of arbitrary files, including sensitive data such as configuration files, environment variables, and other critical data stored on the server.
From Rajesh Sharma who discovered the vulnerability:
POC: `curl --path-as-is http://localhost:3000/assets/../package.json` gives you the content of package.json present in the local directory.
The vulnerability stems from usage of decodedReqPath directly in path.join without performing any path normalization i.e path.normalize in node.js
https://github.com/vendure-ecomme
OSV
Vendure asset server plugin has local file read vulnerability with AssetServerPlugin & LocalAssetStorageStrategy
osv·2024-10-15
CVE-2024-48914 [CRITICAL] Vendure asset server plugin has local file read vulnerability with AssetServerPlugin & LocalAssetStorageStrategy
Vendure asset server plugin has local file read vulnerability with AssetServerPlugin & LocalAssetStorageStrategy
# Description
## Path traversal
This vulnerability allows an attacker to craft a request which is able to traverse the server file system and retrieve the contents of arbitrary files, including sensitive data such as configuration files, environment variables, and other critical data stored on the server.
From Rajesh Sharma who discovered the vulnerability:
POC: `curl --path-as-is http://localhost:3000/assets/../package.json` gives you the content of package.json present in the local directory.
The vulnerability stems from usage of decodedReqPath directly in path.join without performing any path normalization i.e path.normalize in node.js
https://github.com/vendure-ecomme
VulnCheck
vendure vendure Improper Input Validation
vulncheck·2024·CVSS 9.1
CVE-2024-48914 [CRITICAL] vendure vendure Improper Input Validation
vendure vendure Improper Input Validation
Vendure is an open-source headless commerce platform. Prior to versions 3.0.5 and 2.3.3, a vulnerability in Vendure's asset server plugin allows an attacker to craft a request which is able to traverse the server file system and retrieve the contents of arbitrary files, including sensitive data such as configuration files, environment variables, and other critical data stored on the server. In the same code path is an additional vector for crashing the server via a malformed URI. Patches are available in versions 3.0.5 and 2.3.3. Some workarounds are also available. One may use object storage rather than the local file system, e.g. MinIO or S3, or define middleware which detects and blocks requests with urls containing `/../`.
Affected: vendure v
No detection rules found.
Nuclei
Vendure - Arbitrary File Read
nuclei·CVSS 9.1
CVE-2024-48914 [CRITICAL] Vendure - Arbitrary File Read
Vendure - Arbitrary File Read
Vendure is an open-source headless commerce platform. Prior to versions 3.0.5 and 2.3.3, a vulnerability in Vendure's asset server plugin allows an attacker to craft a request which is able to traverse the server file system and retrieve the contents of arbitrary files, including sensitive data such as configuration files, environment variables, and other critical data stored on the server. In the same code path is an additional vector for crashing the server via a malformed URI.
Template:
id: CVE-2024-48914
info:
name: Vendure - Arbitrary File Read
author: s4e-io
severity: critical
description: |
Vendure is an open-source headless commerce platform. Prior to versions 3.0.5 and 2.3.3, a vulnerability in Vendure's asset server plugin allows an attacker to c
No writeups or analysis indexed.
https://github.com/vendure-ecommerce/vendure/blob/801980e8f599c28c5059657a9d85dd03e3827992/packages/asset-server-plugin/src/plugin.ts#L352-L358https://github.com/vendure-ecommerce/vendure/commit/e2ee0c43159b3d13b51b78654481094fdd4850c5https://github.com/vendure-ecommerce/vendure/commit/e4b58af6822d38a9c92a1d8573e19288b8edaa1chttps://github.com/vendure-ecommerce/vendure/security/advisories/GHSA-r9mq-3c9r-fmjq
2024-10-15
Published
Exploited in the wild