Litestar ASGI Framework Vulnerable to Environment Variable Injection
CVE-2024-42370

8.3HIGH

Key Information:

Vendor

Litestar-org

Status
Litestar
Vendor
CVE Published:
12 August 2024

What is CVE-2024-42370?

The Litestar ASGI framework is affected by a vulnerability that permits environment variable injection within the docs-preview.yml workflow. This issue compromises sensitive information, potentially allowing unauthorized access for malicious actors. The vulnerability could lead to the exfiltration of secrets and manipulation of the repository, enabling attackers to create issues and pull requests, as well as view critical repository metadata. A commit has been made to address this vulnerability and restore security after the exposure of the DOCS_PREVIEW_DEPLOY_TOKEN environment variable.

Affected Version(s)

litestar <= 2.10.0

References

https://github.com/litestar-org/litestar/security/advisor...
x_refsource_CONFIRM
https://github.com/litestar-org/litestar/commit/84d351e96...
x_refsource_MISC
https://github.com/litestar-org/litestar/actions/runs/100...
x_refsource_MISC

CVSS V3.1

Score:
8.3
Severity:
HIGH
Confidentiality:
High
Integrity:
Low
Availability:
High
Attack Vector:
Network
Attack Complexity:
Low
Privileges Required:
None
User Interaction:
Required
Scope:
Unchanged

Timeline

  • Vulnerability published

  • Vulnerability Reserved

.