Plattform
python
Komponente
litestar-org/litestar
Behoben in
2.8.1
1.37.1
2.7.1
2.0.1
CVE-2024-32982 describes a Path Traversal vulnerability discovered in Litestar, an Asynchronous Server Gateway Interface (ASGI) framework. This flaw allows attackers to bypass access controls and retrieve sensitive files from the server. The vulnerability impacts versions 2.0.0 through 2.8.2 (excluding 2.8.3) and has been resolved in version 2.8.3.
The core of this vulnerability lies in the static file serving component of Litestar. Attackers can leverage path traversal techniques to manipulate file paths, effectively bypassing intended directory restrictions. This allows them to access files located outside of the designated static content directory. The potential impact is significant, ranging from the disclosure of configuration files containing sensitive credentials to the retrieval of source code or other proprietary information. Successful exploitation could lead to a complete compromise of the server and its data, depending on the files accessed and the privileges of the Litestar process.
As of the public disclosure date (2024-05-06), there is no indication of active exploitation campaigns targeting CVE-2024-32982. However, the vulnerability's ease of exploitation and the potential for significant impact suggest it could become a target. No public proof-of-concept (PoC) code has been released, but the vulnerability's nature makes it relatively straightforward to exploit. The vulnerability is not currently listed on the CISA KEV catalog.
Applications and services built using Litestar, particularly those serving static content, are at risk. This includes deployments utilizing custom static file serving configurations or those with inadequate input validation. Shared hosting environments where multiple applications share the same server and file system are also particularly vulnerable.
• python / server:
import os
import requests
url = 'http://your-litestar-server/static/../../../../etc/passwd' # Example path traversal attempt
response = requests.get(url)
if response.status_code == 200:
print('Potential vulnerability detected: Path traversal successful!')
print(response.text)
else:
print('Path traversal attempt failed.')• linux / server:
journalctl -u litestar -f | grep "path traversal"• generic web:
curl -I http://your-litestar-server/static/../../../../etc/passwdCheck the response headers for any unexpected content or errors.
disclosure
Exploit-Status
EPSS
0.23% (45% Perzentil)
CISA SSVC
CVSS-Vektor
The primary mitigation for CVE-2024-32982 is to immediately upgrade to Litestar version 2.8.3 or later. If upgrading is not immediately feasible, consider implementing a Web Application Firewall (WAF) with rules to block path traversal attempts. Specifically, look for patterns involving directory traversal sequences like ../ in incoming requests. Additionally, review and restrict file permissions on the static content directory to minimize the potential damage from unauthorized access. After upgrading, verify the fix by attempting to access files outside the designated static content directory; access should be denied.
Actualice Litestar a la versión 2.8.3, 2.7.2 o 2.6.4, o superior. Esto corrige la vulnerabilidad de path traversal en el componente de servicio de archivos estáticos. La actualización previene el acceso no autorizado a archivos sensibles fuera de los directorios designados.
Schwachstellenanalysen und kritische Warnungen direkt in deinen Posteingang.
CVE-2024-32982 is a Path Traversal vulnerability affecting Litestar versions 2.0.0–>= 2.8.0 < 2.8.3, allowing attackers to access sensitive files outside designated directories.
You are affected if you are using Litestar versions 2.0.0 through 2.8.2 (excluding 2.8.3).
Upgrade to Litestar version 2.8.3 or later to remediate the vulnerability. Consider temporary workarounds like WAF rules if immediate upgrade is not possible.
There is currently no indication of active exploitation campaigns, but public PoCs are likely to emerge.
Refer to the Litestar project's security advisories and release notes for the official announcement and details: [https://litestar.dev/](https://litestar.dev/)
Lade deine Abhängigkeitsdatei hoch und erfahre sofort, ob dich diese und andere CVEs treffen.
Lade deine requirements.txt-Datei hoch und wir sagen dir sofort, ob du betroffen bist.