Vulnerability in Vendure's Asset Server Plugin Allows File Access and Server Crash
CVE-2024-48914

9.1CRITICAL

Key Information:

Status
Vendor
CVE Published:
15 October 2024

Badges

👾 Exploit Exists🟡 Public PoC🟣 EPSS 90%

What is CVE-2024-48914?

The Vendure headless commerce platform has a vulnerability in its asset server plugin that affects versions prior to 3.0.5 and 2.3.3. An attacker can exploit this vulnerability by crafting a request that is capable of traversing the server's file system, enabling them to access arbitrary files. This includes potentially sensitive data such as configuration files, environment variables, and other critical information stored on the server. Additionally, the same code path provides an opportunity for causing server crashes through malformed URIs. It is recommended that users upgrade to the patched versions 3.0.5 or 2.3.3, or implement workarounds such as using object storage solutions like MinIO or S3, and defining middleware to block requests with URLs that contain sequences like '/../'.

Affected Version(s)

vendure < 2.3.3 < 2.3.3

vendure >= 3.0.0, < 3.0.5 < 3.0.0, 3.0.5

Exploit Proof of Concept (PoC)

PoC code is written by security researchers to demonstrate the vulnerability can be exploited. PoC code is also a key component for weaponization which could lead to ransomware.

References

EPSS Score

90% chance of being exploited in the next 30 days.

CVSS V3.1

Score:
9.1
Severity:
CRITICAL
Confidentiality:
High
Integrity:
None
Availability:
High
Attack Vector:
Network
Attack Complexity:
Low
Privileges Required:
None
User Interaction:
None
Scope:
Unchanged

Timeline

  • 🟡

    Public PoC available

  • 👾

    Exploit known to exist

  • Vulnerability published

  • Vulnerability Reserved

.