Exploit
CVE-2024-48914

Improper Input Validation (CWE-20)

Published: Oct 15, 2024 / Updated: 35d ago

010
CVSS 9.1EPSS 0.05%Critical
CVE info copied to clipboard

Summary

A vulnerability in Vendure's asset server plugin allows attackers to perform path traversal attacks, potentially accessing arbitrary files on the server file system. This can lead to unauthorized access to sensitive data such as configuration files and environment variables. Additionally, there is a separate vector in the same code path that can cause the server to crash via a malformed URI. This affects Vendure versions prior to 3.0.5 and 2.3.3.

Impact

The impact of this vulnerability is severe, with a CVSS base score of 9.1 out of 10. The potential impacts include: 1. Unauthorized access to sensitive data: Attackers can retrieve contents of arbitrary files on the server, including configuration files, environment variables, and other critical data. 2. Information disclosure: Confidential information stored on the server could be exposed. 3. Server stability: The separate vector allowing malformed URIs can cause the server to crash, potentially leading to denial of service. These impacts are reflected in the CVSS scoring, which indicates HIGH confidentiality impact and HIGH availability impact, while integrity impact is NONE. The attack vector is NETWORK, requires no user interaction, and can be executed without any privileges, making it particularly dangerous.

Exploitation

One proof-of-concept exploit is available on github.com. There is no evidence of proof of exploitation at the moment.

Patch

Patches are available in Vendure versions 3.0.5 and 2.3.3. It is strongly recommended to update to these versions or later to mitigate the vulnerability.

Mitigation

1. Update Vendure to version 3.0.5 or 2.3.3, depending on your current major version. 2. If immediate patching is not possible, consider the following workarounds: a. Use object storage (e.g., MinIO or S3) instead of the local file system for asset storage. b. Implement middleware to detect and block requests with URLs containing '/../'. 3. Review and restrict access to sensitive files and directories on the server. 4. Monitor for any suspicious access attempts or unexpected server crashes. 5. Implement strong input validation and sanitization for all user-supplied input, especially in URL paths.

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:H

Timeline

Detection in Vulnerability Scanners

Detection for the vulnerability has been added to Qualys (5001279)

Oct 15, 2024 at 7:53 AM
Vendor Advisory

GitHub Advisories released a security advisory.

Oct 15, 2024 at 10:56 AM
CVE Assignment

NVD published the first details for CVE-2024-48914

Oct 15, 2024 at 4:15 PM
CVSS

A CVSS base score of 9.1 has been assigned.

Oct 15, 2024 at 4:20 PM / nvd
First Article

Feedly found the first article mentioning CVE-2024-48914. See article

Oct 15, 2024 at 4:21 PM / National Vulnerability Database
CVSS Estimate

Feedly estimated the CVSS score as MEDIUM

Oct 15, 2024 at 4:21 PM
Threat Intelligence Report

CVE-2024-48914 is a critical vulnerability in Vendure's asset server plugin, with a CVSS score of 9.1, allowing attackers to perform path traversal attacks to access sensitive files and potentially crash the server via malformed URIs. Currently, there is no evidence of exploitation in the wild or public proof-of-concept exploits. Patches are available in Vendure versions 3.0.5 and 2.3.3, and it is recommended to implement mitigations such as using object storage and restricting access to sensitive files. See article

Oct 15, 2024 at 11:50 PM
EPSS

EPSS Score was set to: 0.05% (Percentile: 16.4%)

Oct 16, 2024 at 9:57 AM
Proof of Concept (PoC) Released

A proof of concept exploit has been released

Oct 21, 2024 at 7:10 PM
Static CVE Timeline Graph

Affected Systems

Vendure/vendure
+null more

Exploits

https://github.com/EQSTLab/CVE-2024-48914
+null more

Patches

Github Advisory
+null more

Links to Mitre Att&cks

T1562.003: Impair Command History Logging
+null more

Attack Patterns

CAPEC-10: Buffer Overflow via Environment Variables
+null more

Vendor Advisory

[GHSA-r9mq-3c9r-fmjq] Vendure asset server plugin has local file read vulnerability with AssetServerPlugin & LocalAssetStorageStrategy
In the same code path is an additional vector for crashing the server via a malformed URI Again from Rajesh: There is also a potential Denial of Service (DoS) issue when incorrectly encoded URI characters are passed as part of the asset URL. The vulnerability stems from usage of decodedReqPath directly in path.join without performing any path normalization i.e path.normalize in node.js https://github.com/vendure-ecommerce/vendure/blob/801980e8f599c28c5059657a9d85dd03e3827992/packages/asset-server-plugin/src/plugin.ts#L352-L358 If the vendure service is behind some server like nginx, apache, etc.

References

CVE-2024-48914 - Exploits & Severity - Feedly
A vulnerability in Vendure's asset server plugin allows an attacker to perform path traversal attacks, potentially accessing arbitrary files on the server file system. The impact of this vulnerability is severe, with a CVSS base score of 9.1 out of 10.

News

CVE-2024-48914 Arbitrary File Read and DoS PoC
description: Vendure is an open-source headless commerce platform. Prior to versions 3.0.5 and 2.3.3, a vulnerability in Vendure's asset server plugin allows an attacker to craft a request which is able to traverse the server file system and retrieve the contents of arbitrary files, including sensitive data such as configuration files, environment variables, and other critical data stored on the server. In the same code path is an additional vector for crashing the server via a malformed... Read more
Vendure Arbitrary File Read / Denial Of Service
Authored by EQSTLab , Rajesh Sharma Site github.com Vendure is an open-source headless commerce platform. Prior to versions 3.0.5 and 2.3.3, a vulnerability in Vendure’s asset server plugin allows an attacker to craft a request which is able to traverse the server file system and retrieve the contents of arbitrary files, including sensitive data such as configuration files, environment variables, and other critical data stored on the server. In the same code path is an additional vector for crashing the server via a malformed URI. Patches are available in versions 3.0.5 and 2.3.3. Some workarounds are also available. One may use object storage rather than the local file system, e.g. MinIO or S3, or define middleware which detects and blocks requests with urls containing /../. advisories CVE-2024-48914
CVE-2024-48914 (CVSS 9.1): Critical File Read Flaw Discovered in Vendure E-commerce Platform
Vendure, a popular open-source headless commerce platform, has patched a critical security vulnerability that could allow attackers to read arbitrary files from the server, potentially exposing sensitive information like configuration files and environment variables. This vulnerability poses a significant risk to Vendure users who utilize the LocalAssetStorageStrategy, as it could allow attackers to steal sensitive data and disrupt service availability.
Update Mon Oct 21 22:28:30 UTC 2024
Update Mon Oct 21 22:28:30 UTC 2024
CVE-2024-48914 Exploit
CVE Id : CVE-2024-48914 Published Date: 2024-10-21T10:02:05+00:00 Vendure is an open-source headless commerce platform. Prior to versions 3.0.5 and 2.3.3, a vulnerability in Vendure's asset server plugin allows an attacker to craft a request which is able to traverse the server file system and retrieve the contents of arbitrary files, including sensitive data such as configuration files, environment variables, and other critical data stored on the server. In the same code path is an additional vector for crashing the server via a malformed URI. Patches are available in versions 3.0.5 and 2.3.3. Some workarounds are also available. One may use object storage rather than the local file system, e.g. MinIO or S3, or define middleware which detects and blocks requests with urls containing `/../`. inTheWild added a link to an exploit:
See 14 more articles and social media posts

CVSS V3.1

Attack Vector:Network
Attack Complexity:Low
Privileges Required:None
User Interaction:None
Scope:Unchanged
Confidentiality:High
Integrity:None
Availability Impact:High

Categories

Be the first to know about critical vulnerabilities

Collect, analyze, and share vulnerability reports faster using AI