Plataforma
python
Componente
litestar-org/litestar
Corrigido em
2.8.1
1.37.1
2.7.1
2.0.1
CVE-2024-32982 describes a Path Traversal vulnerability discovered in Litestar, an Asynchronous Server Gateway Interface (ASGI) framework. This flaw allows attackers to bypass intended access restrictions and retrieve sensitive files from the server. The vulnerability impacts versions 2.0.0 through 2.8.2, excluding 2.8.3. A fix is available in version 2.8.3.
The core of this vulnerability lies in the static file serving component of Litestar. Attackers can leverage path traversal techniques, such as using sequences like ../, to navigate outside the intended static file directories. This unauthorized access can expose sensitive configuration files, source code, or other critical data stored on the server. Successful exploitation could lead to information disclosure, potentially enabling further attacks, such as privilege escalation or remote code execution if sensitive credentials or scripts are exposed. The blast radius extends to any data accessible through the server's file system, depending on the attacker's ability to manipulate file paths.
CVE-2024-32982 was publicly disclosed on May 6, 2024. There is no indication of active exploitation campaigns at this time. The vulnerability is not currently listed on the CISA KEV catalog. Public proof-of-concept (PoC) code is likely to emerge given the relatively simple nature of path traversal vulnerabilities, increasing the risk of exploitation.
Applications and services built using Litestar, particularly those serving static content, are at risk. This includes deployments utilizing custom static file serving configurations or those with inadequate input validation. Shared hosting environments where multiple applications share the same server and file system are also particularly vulnerable.
• python / server:
import os
import requests
url = 'http://your-litestar-server/static/../../../../etc/passwd' # Example path traversal attempt
response = requests.get(url)
if response.status_code == 200:
print('Potential vulnerability detected: Path traversal successful!')
print(response.text)
else:
print('Path traversal attempt failed.')• linux / server:
journalctl -u litestar -f | grep "path traversal"• generic web:
curl -I http://your-litestar-server/static/../../../../etc/passwdCheck the response headers for any unexpected content or errors.
disclosure
Status do Exploit
EPSS
0.23% (percentil 45%)
CISA SSVC
Vetor CVSS
The primary mitigation for CVE-2024-32982 is to upgrade to Litestar version 2.8.3 or later, which contains the fix for the path traversal vulnerability. If upgrading immediately is not feasible, consider implementing temporary workarounds. These may include restricting access to the static file serving endpoint using a Web Application Firewall (WAF) or proxy server, configuring strict file access controls on the server, and carefully reviewing the file paths used in the application to ensure they are properly sanitized. Monitor access logs for suspicious file requests containing path traversal sequences. After upgrading, confirm the fix by attempting a path traversal attack on the static file serving endpoint and verifying that access is denied.
Actualice Litestar a la versión 2.8.3, 2.7.2 o 2.6.4, o superior. Esto corrige la vulnerabilidad de path traversal en el componente de servicio de archivos estáticos. La actualización previene el acceso no autorizado a archivos sensibles fuera de los directorios designados.
Análise de vulnerabilidades e alertas críticos diretamente no seu e-mail.
CVE-2024-32982 is a Path Traversal vulnerability affecting Litestar versions 2.0.0–>= 2.8.0 < 2.8.3, allowing attackers to access sensitive files outside designated directories.
You are affected if you are using Litestar versions 2.0.0 through 2.8.2 (excluding 2.8.3).
Upgrade to Litestar version 2.8.3 or later to remediate the vulnerability. Consider temporary workarounds like WAF rules if immediate upgrade is not possible.
There is currently no indication of active exploitation campaigns, but public PoCs are likely to emerge.
Refer to the Litestar project's security advisories and release notes for the official announcement and details: [https://litestar.dev/](https://litestar.dev/)
Envie seu arquivo de dependências e descubra na hora se esta e outras CVEs te atingem.
Envie seu arquivo requirements.txt e descubra na hora se você está afetado.