プラットフォーム
nodejs
コンポーネント
@vendure/asset-server-plugin
修正版
2.3.4
3.0.1
2.3.3
CVE-2024-48914 describes a critical path traversal vulnerability discovered in the Vendure Asset Server Plugin. This flaw allows attackers to access arbitrary files on the server, potentially exposing sensitive configuration data, environment variables, and other critical information. The vulnerability impacts versions of the plugin prior to 2.3.3, and a fix has been released. Exploitation is achieved by crafting malicious requests that bypass file system access controls.
The impact of this vulnerability is significant. An attacker can leverage it to retrieve sensitive data directly from the server's file system. This includes configuration files containing database credentials, API keys, and other secrets. Environment variables, which often store sensitive information like database passwords or external service tokens, are also at risk. Successful exploitation could lead to complete compromise of the Vendure instance, enabling attackers to steal data, modify configurations, or even gain remote code execution if the retrieved files contain exploitable code. The ability to read arbitrary files represents a severe breach of confidentiality and integrity.
This vulnerability was publicly disclosed on 2024-10-15. A proof-of-concept (POC) demonstrating the path traversal has been published, making exploitation relatively straightforward. The vulnerability's ease of exploitation and the potential for significant data exposure suggest a medium to high probability of exploitation. It is not currently listed on CISA KEV as of this writing, but its severity warrants close monitoring. The provided POC highlights the simplicity of exploiting the flaw.
Vendure e-commerce platforms utilizing the Asset Server Plugin are at risk. Specifically, deployments using older versions of the plugin (prior to 2.3.3) and those with less restrictive file system permissions are particularly vulnerable. Shared hosting environments where multiple applications share the same server resources are also at increased risk, as a compromise of one application could potentially expose data from others.
• nodejs / server:
find /var/www/your-vendure-app -name 'package.json' -exec grep -H 'http://localhost:3000/assets/../' {} + # Look for references to the vulnerable path• generic web:
grep -i 'path=../' /var/log/nginx/access.log # Check access logs for suspicious paths• generic web:
grep -i 'GET /assets/../' /var/log/nginx/error.log # Check error logs for path traversal attemptsdisclosure
poc
patch
エクスプロイト状況
EPSS
92.50% (100% パーセンタイル)
CISA SSVC
CVSS ベクトル
The primary mitigation for CVE-2024-48914 is to immediately upgrade the Vendure Asset Server Plugin to version 2.3.3 or later. If upgrading is not immediately feasible due to compatibility issues or breaking changes, consider implementing temporary workarounds. These might include restricting access to the /assets endpoint using a Web Application Firewall (WAF) or proxy server to block requests containing path traversal sequences (e.g., ../). Carefully review and harden file system permissions to limit the potential impact of a successful attack. Monitor access logs for suspicious requests targeting the /assets endpoint. After upgrading, confirm the fix by attempting the provided POC (curl --path-as-is http://localhost:3000/assets/../package.json) and verifying that it no longer returns the contents of arbitrary files.
Vendure をバージョン 2.3.3 以降、またはバージョン 3.0.5 以降にアップデートしてください。あるいは、オブジェクトストレージ(例:MinIO または S3)の代わりにローカルファイルシステムを使用してください。また、`/../` を含む URL を含むリクエストを検出してブロックするミドルウェアを定義することもできます。
脆弱性分析と重要アラートをメールでお届けします。
CVE-2024-48914 is a critical path traversal vulnerability in the Vendure Asset Server Plugin allowing attackers to access arbitrary files on the server.
You are affected if you are using a version of the Vendure Asset Server Plugin prior to 2.3.3.
Upgrade the Vendure Asset Server Plugin to version 2.3.3 or later. Consider WAF rules as a temporary workaround if immediate upgrade is not possible.
While active exploitation is not confirmed, a public POC exists, increasing the likelihood of exploitation.
Refer to the Vendure security advisory for detailed information and updates: [https://vendure.io/blog/security-advisory-cve-2024-48914](https://vendure.io/blog/security-advisory-cve-2024-48914)