Bug 2273531 (CVE-2024-31207)

Summary: CVE-2024-31207 vitejs: "server.fs.deny" configuration does not deny requests that include patterns
Product: [Other] Security Response Reporter: Robb Gatica <rgatica>
Component: vulnerabilityAssignee: Product Security <prodsec-ir-bot>
Status: NEW --- QA Contact:
Severity: medium Docs Contact:
Priority: medium    
Version: unspecifiedCC: asoldano, bbaranow, bmaxwell, boliveir, brian.stansberry, cdewolf, chazlett, darran.lofthouse, dkreling, dosoudil, drichtar, epacific, fjuma, ivassile, iweiss, jcammara, jhardy, jneedle, jobarker, lgao, mabashia, michaelginn529, mosmerov, msochure, mstefank, msvehla, mulliken, nwallace, pdrozd, peholase, pjindal, pmackay, pskopek, rowaters, rstancel, simaishi, smaestri, smcdonal, sthorger, teagle, tom.jenkinson, yguenane, zsadeh
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: vite 5.2.6, vite 5.1.7, vite 5.0.13, vite 4.5.3, vite 3.2.10, vite 2.9.18 Doc Type: ---
Doc Text:
A flaw was found in the Node.js Vite package. When configuring the "server.fs.deny" server option to deny requests that include a pattern with directories such as /foo/**/*, the requests were still being allowed. This can potentially expose files or directories containing sensitive information. Only apps setting a custom "server.fs.deny" that includes a pattern with directories, and explicitly exposing the Vite dev server to the network using --host or server.host config option are affected.
 Story Points: ---
Clone Of: Environment:
Last Closed: Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On:    
Bug Blocks: 2273528    

Description Robb Gatica 2024-04-04 20:59:17 UTC 
Vite (French word for "quick", pronounced /vit/, like "veet") is a frontend build tooling to improve the frontend development experience.`server.fs.deny` does not deny requests for patterns with directories. This vulnerability has been patched in version(s) 5.2.6, 5.1.7, 5.0.13, 4.5.3, 3.2.10 and 2.9.18. Note: Only apps setting a custom server.fs.deny that includes a pattern with directories, and explicitly exposing the Vite dev server to the network (using --host or server.host config option) are affected

https://github.com/vitejs/vite/commit/011bbca350e447d1b499d242804ce62738c12bc0
https://github.com/vitejs/vite/commit/5a056dd2fc80dbafed033062fe6aaf4717309f48
https://github.com/vitejs/vite/commit/89c7c645f09d16a38f146ef4a1528f218e844d67
https://github.com/vitejs/vite/commit/96a7f3a41ef2f9351c46f3ab12489bb4efa03cc9
https://github.com/vitejs/vite/commit/ba5269cca81de3f5fbb0f49d58a1c55688043258
https://github.com/vitejs/vite/commit/d2db33f7d4b96750b35370c70dd2c35ec3b9b649
https://github.com/vitejs/vite/security/advisories/GHSA-8jhw-289h-jh2g
Comment 2 JohnLupien 2024-07-01 03:40:58 UTC 
Thank you for suggesting some solutions to this problem. https://mergefruits.io