Vulnerability in Vendure's Asset Server Plugin Allows File Access and Server Crash
CVE-2024-48914
Key Information:
- Vendor
Vendure-ecommerce
- Status
- Vendor
- CVE Published:
- 15 October 2024
Badges
What is CVE-2024-48914?
The Vendure headless commerce platform has a vulnerability in its asset server plugin that affects versions prior to 3.0.5 and 2.3.3. An attacker can exploit this vulnerability by crafting a request that is capable of traversing the server's file system, enabling them to access arbitrary files. This includes potentially sensitive data such as configuration files, environment variables, and other critical information stored on the server. Additionally, the same code path provides an opportunity for causing server crashes through malformed URIs. It is recommended that users upgrade to the patched versions 3.0.5 or 2.3.3, or implement workarounds such as using object storage solutions like MinIO or S3, and defining middleware to block requests with URLs that contain sequences like '/../'.
Affected Version(s)
vendure < 2.3.3 < 2.3.3
vendure >= 3.0.0, < 3.0.5 < 3.0.0, 3.0.5
Exploit Proof of Concept (PoC)
PoC code is written by security researchers to demonstrate the vulnerability can be exploited. PoC code is also a key component for weaponization which could lead to ransomware.
References
EPSS Score
90% chance of being exploited in the next 30 days.
CVSS V3.1
Timeline
- 🟡
Public PoC available
- 👾
Exploit known to exist
Vulnerability published
Vulnerability Reserved