Plateforme
nodejs
Composant
@vendure/asset-server-plugin
Corrigé dans
2.3.4
3.0.1
2.3.3
CVE-2024-48914 describes a critical path traversal vulnerability discovered in the Vendure Asset Server Plugin. This flaw allows attackers to access arbitrary files on the server, potentially exposing sensitive configuration data, environment variables, and other critical information. The vulnerability impacts versions of the plugin prior to 2.3.3, and a fix has been released. Exploitation is achieved by crafting malicious requests that bypass file system access controls.
The impact of this vulnerability is significant. An attacker can leverage it to retrieve sensitive data directly from the server's file system. This includes configuration files containing database credentials, API keys, and other secrets. Environment variables, which often store sensitive information like database passwords or external service tokens, are also at risk. Successful exploitation could lead to complete compromise of the Vendure instance, enabling attackers to steal data, modify configurations, or even gain remote code execution if the retrieved files contain exploitable code. The ability to read arbitrary files represents a severe breach of confidentiality and integrity.
This vulnerability was publicly disclosed on 2024-10-15. A proof-of-concept (POC) demonstrating the path traversal has been published, making exploitation relatively straightforward. The vulnerability's ease of exploitation and the potential for significant data exposure suggest a medium to high probability of exploitation. It is not currently listed on CISA KEV as of this writing, but its severity warrants close monitoring. The provided POC highlights the simplicity of exploiting the flaw.
Vendure e-commerce platforms utilizing the Asset Server Plugin are at risk. Specifically, deployments using older versions of the plugin (prior to 2.3.3) and those with less restrictive file system permissions are particularly vulnerable. Shared hosting environments where multiple applications share the same server resources are also at increased risk, as a compromise of one application could potentially expose data from others.
• nodejs / server:
find /var/www/your-vendure-app -name 'package.json' -exec grep -H 'http://localhost:3000/assets/../' {} + # Look for references to the vulnerable path• generic web:
grep -i 'path=../' /var/log/nginx/access.log # Check access logs for suspicious paths• generic web:
grep -i 'GET /assets/../' /var/log/nginx/error.log # Check error logs for path traversal attemptsdisclosure
poc
patch
Statut de l'Exploit
EPSS
92.50% (percentile 100%)
CISA SSVC
Vecteur CVSS
The primary mitigation for CVE-2024-48914 is to immediately upgrade the Vendure Asset Server Plugin to version 2.3.3 or later. If upgrading is not immediately feasible due to compatibility issues or breaking changes, consider implementing temporary workarounds. These might include restricting access to the /assets endpoint using a Web Application Firewall (WAF) or proxy server to block requests containing path traversal sequences (e.g., ../). Carefully review and harden file system permissions to limit the potential impact of a successful attack. Monitor access logs for suspicious requests targeting the /assets endpoint. After upgrading, confirm the fix by attempting the provided POC (curl --path-as-is http://localhost:3000/assets/../package.json) and verifying that it no longer returns the contents of arbitrary files.
Mettez à jour Vendure à la version 2.3.3 ou supérieure, ou à la version 3.0.5 ou supérieure. Alternativement, utilisez un stockage d'objets au lieu du système de fichiers local (par exemple, MinIO ou S3). Vous pouvez également définir un middleware qui détecte et bloque les requêtes avec des URL contenant `/../`.
Analyses de vulnérabilités et alertes critiques directement dans votre boîte mail.
CVE-2024-48914 is a critical path traversal vulnerability in the Vendure Asset Server Plugin allowing attackers to access arbitrary files on the server.
You are affected if you are using a version of the Vendure Asset Server Plugin prior to 2.3.3.
Upgrade the Vendure Asset Server Plugin to version 2.3.3 or later. Consider WAF rules as a temporary workaround if immediate upgrade is not possible.
While active exploitation is not confirmed, a public POC exists, increasing the likelihood of exploitation.
Refer to the Vendure security advisory for detailed information and updates: [https://vendure.io/blog/security-advisory-cve-2024-48914](https://vendure.io/blog/security-advisory-cve-2024-48914)
Téléverse ton fichier de dépendances et découvre instantanément si cette CVE et d'autres te touchent.