Litestar ASGI Framework Vulnerable to Local File Inclusion (LFI) Attacks
CVE-2024-32982

8.2HIGH

Key Information:

Vendor

Litestar-org

Status
Litestar
Vendor
CVE Published:
6 May 2024

What is CVE-2024-32982?

A Local File Inclusion vulnerability exists within the static file serving component of the Litestar and Starlite ASGI framework. This flaw allows attackers to exploit path traversal vulnerabilities, potentially gaining unauthorized access to sensitive files located outside the designated directories. The vulnerability stems from the file path handling within the static content serving function, particularly in the litestar/static_files/base.py file. Successful exploitation could lead to the disclosure of sensitive information or compromise the security of the server. The issue has been addressed in versions 2.8.3, 2.7.2, and 2.6.4, and users are advised to upgrade to the latest versions to mitigate risk.

Affected Version(s)

litestar >= 2.8.0, < 2.8.3 < 2.8.0, 2.8.3

litestar >= 1.37.0, <= 1.51.14 <= 1.37.0, 1.51.14

litestar >= 2.7.0, < 2.7.2 < 2.7.0, 2.7.2

References

https://github.com/litestar-org/litestar/security/advisor...
x_refsource_CONFIRM
https://github.com/litestar-org/litestar/commit/57e706e7e...
x_refsource_MISC
https://github.com/litestar-org/litestar/blob/main/litest...
x_refsource_MISC

CVSS V3.1

Score:
8.2
Severity:
HIGH
Confidentiality:
High
Integrity:
Low
Availability:
High
Attack Vector:
Network
Attack Complexity:
Low
Privileges Required:
None
User Interaction:
None
Scope:
Unchanged

Timeline

  • Vulnerability published

  • Vulnerability Reserved

.