How severe is CVE-2024-23331?

This vulnerability has a severity rating of HIGH with a CVSS score of 7.5 out of 10.

What type of vulnerability is CVE-2024-23331?

This is classified as CWE-178, which is a common weakness in software security.

CVE-2024-23331 - HIGH Severity | CVSS 7.5

Vulnerability Description

Vite is a frontend tooling framework for javascript. The Vite dev server option `server.fs.deny` can be bypassed on case-insensitive file systems using case-augmented versions of filenames. Notably this affects servers hosted on Windows. This bypass is similar to CVE-2023-34092 -- with surface area reduced to hosts having case-insensitive filesystems. Since `picomatch` defaults to case-sensitive glob matching, but the file server doesn't discriminate; a blacklist bypass is possible. By requesting raw filesystem paths using augmented casing, the matcher derived from `config.server.fs.deny` fails to block access to sensitive files. This issue has been addressed in [email protected], [email protected], [email protected], and [email protected]. Users are advised to upgrade. Users unable to upgrade should restrict access to dev servers.

Related Vulnerabilities

CVE-1999-0239

HIGH

CVSS:7.5(High)

Netscape FastTrack Web server lists files when a lowercase "get" command is used instead of an uppercase GET.

CWE-1781999

CVE-2000-0497

HIGH

CVSS:7.5(High)

IBM WebSphere server 3.0.2 allows a remote attacker to view source code of a JSP program by requesting a URL which provides the JSP extension in upper case.

CWE-1782000

CVE-2000-0498

HIGH

CVSS:7.5(High)

Unify eWave ServletExec allows a remote attacker to view source code of a JSP program by requesting a URL which provides the JSP extension in upper case.

CWE-1782000

CVE-2000-0499

HIGH

CVSS:7.5(High)

The default configuration of BEA WebLogic 3.1.8 through 4.5.1 allows a remote attacker to view source code of a JSP program by requesting a URL which provides the JSP extension in upper case.

CWE-1782000

CVE-2001-0795

HIGH

CVSS:7.5(High)

Perception LiteServe 1.25 allows remote attackers to obtain source code of CGI scripts via URLs that contain MS-DOS conventions such as (1) upper case letters or (2) 8.3 file names.

CWE-1782001

CVE-2002-0485

HIGH

CVSS:7.5(High)

Norton Anti-Virus (NAV) allows remote attackers to bypass content filtering via attachments whose Content-Type and Content-Disposition headers are mixed upper and lower case, which is ignored by some ...

CWE-1782002