CVE-2024-48914 Information
Description
Vendure is an open-source headless commerce platform. Prior to versions 3.0.5 and 2.3.3 a vulnerability in Vendure’s asset server plugin allows an attacker to craft a request which is able to traverse the server file system and retrieve the contents of arbitrary files including sensitive data such as configuration files environment variables and other critical data stored on the server. In the same code path is an additional vector for crashing the server via a malformed URI. Patches are available in versions 3.0.5 and 2.3.3. Some workarounds are also available. One may use object storage rather than the local file system e.g. MinIO or S3 or define middleware which detects and blocks requests with urls containing /../.
Reference
https://github.com/vendure-ecommerce/vendure/security/advisories/GHSA-r9mq-3c9r-fmjq
https://github.com/vendure-ecommerce/vendure/commit/e2ee0c43159b3d13b51b78654481094fdd4850c5
https://github.com/vendure-ecommerce/vendure/commit/e4b58af6822d38a9c92a1d8573e19288b8edaa1c
https://github.com/vendure-ecommerce/vendure/blob/801980e8f599c28c5059657a9d85dd03e3827992/packages/asset-server-plugin/src/plugin.ts#L352-L358
Vendure
is
an
open-source
headless
commerce
platform.
Prior
to
versions
3.0.5
and
2.3.3
a
vulnerability
in
Vendure’s
asset
server
plugin
allows
an
attacker
to
craft
a
request
which
is
able
to
traverse
the
server
file
system
and
retrieve
the
contents
of
arbitrary
files
including
sensitive
data
such
as
configuration
files
environment
variables
and
other
critical
data
stored
on
the
server.
In
the
same
code
path
is
an
additional
vector
for
crashing
the
server
via
a
malformed
URI.
Patches
are
available
in
versions
3.0.5
and
2.3.3.
Some
workarounds
are
also
available.
One
may
use
object
storage
rather
than
the
local
file
system
e.g.
MinIO
or
S3
or
define
middleware
which
detects
and
blocks
requests
with
urls
containing
/../.