CVE-2024-56159
Vulnerability from cvelistv5
Published
2024-12-19 18:58
Modified
2024-12-20 20:44
Summary
Astro is a web framework for content-driven websites. A bug in the build process allows any unauthenticated user to read parts of the server source code. During build, along with client assets such as css and font files, the sourcemap files **for the server code** are moved to a publicly-accessible folder. Any outside party can read them with an unauthorized HTTP GET request to the same server hosting the rest of the website. While some server files are hashed, making their access obscure, the files corresponding to the file system router (those in `src/pages`) are predictably named. For example. the sourcemap file for `src/pages/index.astro` gets named `dist/client/pages/index.astro.mjs.map`. This vulnerability is the root cause of issue #12703, which links to a simple stackblitz project demonstrating the vulnerability. Upon build, notice the contents of the `dist/client` (referred to as `config.build.client` in astro code) folder. All astro servers make the folder in question accessible to the public internet without any authentication. It contains `.map` files corresponding to the code that runs on the server. All **server-output** projects on Astro 5 versions **v5.0.3** through **v5.0.7**, that have **sourcemaps enabled**, either directly or through an add-on such as `sentry`, are affected. The fix for **server-output** projects was released in **astro@5.0.8**. Additionally, all **static-output** projects built using Astro 4 versions **4.16.17 or older**, or Astro 5 versions **5.0.8 or older**, that have **sourcemaps enabled** are also affected. The fix for **static-output** projects was released in **astro@5.0.9**, and backported to Astro v4 in **astro@4.16.18**. The immediate impact is limited to source code. Any secrets or environment variables are not exposed unless they are present verbatim in the source code. There is no immediate loss of integrity within the the vulnerable server. However, it is possible to subsequently discover another vulnerability via the revealed source code . There is no immediate impact to availability of the vulnerable server. However, the presence of an unsafe regular expression, for example, can quickly be exploited to subsequently compromise the availability. The fix for **server-output** projects was released in **astro@5.0.8**, and the fix for **static-output** projects was released in **astro@5.0.9** and backported to Astro v4 in **astro@4.16.18**. Users are advised to update immediately if they are using sourcemaps or an integration that enables sourcemaps.
Impacted products
Vendor Product Version
Show details on NVD website


{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2024-56159",
                "options": [
                  {
                    "Exploitation": "poc"
                  },
                  {
                    "Automatable": "yes"
                  },
                  {
                    "Technical Impact": "partial"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2024-12-20T20:44:11.061378Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2024-12-20T20:44:36.686Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "references": [
          {
            "tags": [
              "exploit"
            ],
            "url": "https://github.com/withastro/astro/security/advisories/GHSA-49w6-73cw-chjr"
          }
        ],
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "product": "astro",
          "vendor": "withastro",
          "versions": [
            {
              "status": "affected",
              "version": "\u003e= 5.0.0, \u003c 5.0.8"
            },
            {
              "status": "affected",
              "version": "\u003c 4.16.18"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "Astro is a web framework for content-driven websites. A bug in the build process allows any unauthenticated user to read parts of the server source code. During build, along with client assets such as css and font files, the sourcemap files **for the server code** are moved to a publicly-accessible folder. Any outside party can read them with an unauthorized HTTP GET request to the same server hosting the rest of the website. While some server files are hashed, making their access obscure, the files corresponding to the file system router (those in `src/pages`) are predictably named. For example. the sourcemap file for `src/pages/index.astro` gets named `dist/client/pages/index.astro.mjs.map`. This vulnerability is the root cause of issue #12703, which links to a simple stackblitz project demonstrating the vulnerability. Upon build, notice the contents of the `dist/client` (referred to as `config.build.client` in astro code) folder. All astro servers make the folder in question accessible to the public internet without any authentication. It contains `.map` files corresponding to the code that runs on the server. All **server-output** projects on Astro 5 versions **v5.0.3** through **v5.0.7**, that have **sourcemaps enabled**, either directly or through an add-on such as `sentry`, are affected. The fix for **server-output** projects was released in **astro@5.0.8**. Additionally, all **static-output** projects built using Astro 4 versions **4.16.17 or older**, or Astro 5 versions **5.0.8 or older**, that have **sourcemaps enabled** are also affected. The fix for **static-output** projects was released in **astro@5.0.9**, and backported to Astro v4 in **astro@4.16.18**. The immediate impact is limited to source code. Any secrets or environment variables are not exposed unless they are present verbatim in the source code. There is no immediate loss of integrity within the the vulnerable server. However, it is possible to subsequently discover another vulnerability via the revealed source code . There is no immediate impact to availability of the vulnerable server. However, the presence of an unsafe regular expression, for example, can quickly be exploited to subsequently compromise the availability. The fix for **server-output** projects was released in **astro@5.0.8**, and the fix for **static-output** projects was released in **astro@5.0.9** and backported to Astro v4 in **astro@4.16.18**. Users are advised to update immediately if they are using sourcemaps or an integration that enables sourcemaps."
        }
      ],
      "metrics": [
        {
          "cvssV4_0": {
            "attackComplexity": "LOW",
            "attackRequirements": "NONE",
            "attackVector": "NETWORK",
            "baseScore": 7.8,
            "baseSeverity": "HIGH",
            "privilegesRequired": "NONE",
            "subAvailabilityImpact": "LOW",
            "subConfidentialityImpact": "HIGH",
            "subIntegrityImpact": "LOW",
            "userInteraction": "NONE",
            "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:H/SI:L/SA:L",
            "version": "4.0",
            "vulnAvailabilityImpact": "NONE",
            "vulnConfidentialityImpact": "LOW",
            "vulnIntegrityImpact": "NONE"
          }
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-219",
              "description": "CWE-219: Storage of File with Sensitive Data Under Web Root",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2024-12-19T18:58:31.989Z",
        "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
        "shortName": "GitHub_M"
      },
      "references": [
        {
          "name": "https://github.com/withastro/astro/security/advisories/GHSA-49w6-73cw-chjr",
          "tags": [
            "x_refsource_CONFIRM"
          ],
          "url": "https://github.com/withastro/astro/security/advisories/GHSA-49w6-73cw-chjr"
        },
        {
          "name": "https://github.com/withastro/astro/issues/12703",
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://github.com/withastro/astro/issues/12703"
        },
        {
          "name": "https://github.com/getsentry/sentry-javascript/blob/develop/packages/astro/src/integration/index.ts#L50",
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://github.com/getsentry/sentry-javascript/blob/develop/packages/astro/src/integration/index.ts#L50"
        },
        {
          "name": "https://github.com/withastro/astro/blob/176fe9f113fd912f9b61e848b00bbcfecd6d5c2c/packages/astro/src/core/build/static-build.ts#L139",
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://github.com/withastro/astro/blob/176fe9f113fd912f9b61e848b00bbcfecd6d5c2c/packages/astro/src/core/build/static-build.ts#L139"
        }
      ],
      "source": {
        "advisory": "GHSA-49w6-73cw-chjr",
        "discovery": "UNKNOWN"
      },
      "title": "Server source code is exposed to the public if sourcemaps are enabled"
    }
  },
  "cveMetadata": {
    "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
    "assignerShortName": "GitHub_M",
    "cveId": "CVE-2024-56159",
    "datePublished": "2024-12-19T18:58:31.989Z",
    "dateReserved": "2024-12-17T18:16:49.854Z",
    "dateUpdated": "2024-12-20T20:44:36.686Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1",
  "vulnerability-lookup:meta": {
    "nvd": "{\"cve\":{\"id\":\"CVE-2024-56159\",\"sourceIdentifier\":\"security-advisories@github.com\",\"published\":\"2024-12-19T19:15:08.123\",\"lastModified\":\"2024-12-20T21:15:09.940\",\"vulnStatus\":\"Received\",\"cveTags\":[],\"descriptions\":[{\"lang\":\"en\",\"value\":\"Astro is a web framework for content-driven websites. A bug in the build process allows any unauthenticated user to read parts of the server source code. During build, along with client assets such as css and font files, the sourcemap files **for the server code** are moved to a publicly-accessible folder. Any outside party can read them with an unauthorized HTTP GET request to the same server hosting the rest of the website. While some server files are hashed, making their access obscure, the files corresponding to the file system router (those in `src/pages`) are predictably named. For example. the sourcemap file for `src/pages/index.astro` gets named `dist/client/pages/index.astro.mjs.map`. This vulnerability is the root cause of issue #12703, which links to a simple stackblitz project demonstrating the vulnerability. Upon build, notice the contents of the `dist/client` (referred to as `config.build.client` in astro code) folder. All astro servers make the folder in question accessible to the public internet without any authentication. It contains `.map` files corresponding to the code that runs on the server. All **server-output** projects on Astro 5 versions **v5.0.3** through **v5.0.7**, that have **sourcemaps enabled**, either directly or through an add-on such as `sentry`, are affected. The fix for **server-output** projects was released in **astro@5.0.8**. Additionally, all **static-output** projects built using Astro 4 versions **4.16.17 or older**, or Astro 5 versions **5.0.8 or older**, that have **sourcemaps enabled** are also affected. The fix for **static-output** projects was released in **astro@5.0.9**, and backported to Astro v4 in **astro@4.16.18**. The immediate impact is limited to source code. Any secrets or environment variables are not exposed unless they are present verbatim in the source code. There is no immediate loss of integrity within the the vulnerable server. However, it is possible to subsequently discover another vulnerability via the revealed source code . There is no immediate impact to availability of the vulnerable server. However, the presence of an unsafe regular expression, for example, can quickly be exploited to subsequently compromise the availability. The fix for **server-output** projects was released in **astro@5.0.8**, and the fix for **static-output** projects was released in **astro@5.0.9** and backported to Astro v4 in **astro@4.16.18**. Users are advised to update immediately if they are using sourcemaps or an integration that enables sourcemaps.\"},{\"lang\":\"es\",\"value\":\"Astro es un framework web para sitios web basados en contenido. Un error en el proceso de compilaci\u00f3n permite que cualquier usuario no autenticado lea partes del c\u00f3digo fuente del servidor. Durante la compilaci\u00f3n, junto con los recursos del cliente, como los archivos CSS y de fuentes, los archivos sourcemap **para el c\u00f3digo del servidor** se mueven a una carpeta de acceso p\u00fablico. Cualquier tercero puede leerlos con una solicitud HTTP GET no autorizada al mismo servidor que aloja el resto del sitio web. Si bien algunos archivos del servidor est\u00e1n codificados, lo que hace que su acceso sea oscuro, los archivos correspondientes al enrutador del sistema de archivos (aquellos en `src/pages`) tienen un nombre predecible. Por ejemplo, el archivo sourcemap para `src/pages/index.astro` se llama `dist/client/pages/index.astro.mjs.map`. Esta vulnerabilidad es la causa principal del problema n.\u00b0 12703, que se vincula a un proyecto simple de stackblitz que demuestra la vulnerabilidad. Durante la compilaci\u00f3n, observe el contenido de la carpeta `dist/client` (conocida como `config.build.client` en el c\u00f3digo astro). Todos los servidores astro hacen que la carpeta en cuesti\u00f3n sea accesible a la Internet p\u00fablica sin ninguna autenticaci\u00f3n. Contiene archivos `.map` correspondientes al c\u00f3digo que se ejecuta en el servidor. Todos los proyectos de **server-output** en las versiones de Astro 5 **v5.0.3** a **v5.0.7**, que tengan **sourcemaps habilitado**, ya sea directamente o mediante un complemento como `sentry`, se ven afectados. La correcci\u00f3n para los proyectos de **server-output** se public\u00f3 en **astro@5.0.8**. Adem\u00e1s, todos los proyectos de **static-output** manipulados con Astro 4 versiones **4.16.17 o anteriores**, o Astro 5 versiones **5.0.8 o anteriores**, que tengan **sourcemaps habilitado** tambi\u00e9n se ven afectados. La correcci\u00f3n para los proyectos de **static-output** se public\u00f3 en **astro@5.0.9** y se incorpor\u00f3 a Astro v4 en **astro@4.16.18**. El impacto inmediato se limita al c\u00f3digo fuente. No se exponen los secretos ni las variables de entorno a menos que est\u00e9n presentes textualmente en el c\u00f3digo fuente. No hay una p\u00e9rdida inmediata de integridad dentro del servidor vulnerable. Sin embargo, es posible descubrir posteriormente otra vulnerabilidad a trav\u00e9s del c\u00f3digo fuente revelado. No hay un impacto inmediato en la disponibilidad del servidor vulnerable. Sin embargo, la presencia de una expresi\u00f3n regular insegura, por ejemplo, puede explotarse r\u00e1pidamente para comprometer posteriormente la disponibilidad. La correcci\u00f3n para los proyectos **server-output** se public\u00f3 en **astro@5.0.8**, y la correcci\u00f3n para los proyectos **static-output** se public\u00f3 en **astro@5.0.9** y se incorpor\u00f3 a Astro v4 en **astro@4.16.18**. Se recomienda a los usuarios que actualicen de inmediato si est\u00e1n usando mapas de origen o una integraci\u00f3n que los habilite.\"}],\"metrics\":{\"cvssMetricV40\":[{\"source\":\"security-advisories@github.com\",\"type\":\"Secondary\",\"cvssData\":{\"version\":\"4.0\",\"vectorString\":\"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:H/SI:L/SA:L/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X\",\"baseScore\":7.8,\"baseSeverity\":\"HIGH\",\"attackVector\":\"NETWORK\",\"attackComplexity\":\"LOW\",\"attackRequirements\":\"NONE\",\"privilegesRequired\":\"NONE\",\"userInteraction\":\"NONE\",\"vulnerableSystemConfidentiality\":\"LOW\",\"vulnerableSystemIntegrity\":\"NONE\",\"vulnerableSystemAvailability\":\"NONE\",\"subsequentSystemConfidentiality\":\"HIGH\",\"subsequentSystemIntegrity\":\"LOW\",\"subsequentSystemAvailability\":\"LOW\",\"exploitMaturity\":\"NOT_DEFINED\",\"confidentialityRequirements\":\"NOT_DEFINED\",\"integrityRequirements\":\"NOT_DEFINED\",\"availabilityRequirements\":\"NOT_DEFINED\",\"modifiedAttackVector\":\"NOT_DEFINED\",\"modifiedAttackComplexity\":\"NOT_DEFINED\",\"modifiedAttackRequirements\":\"NOT_DEFINED\",\"modifiedPrivilegesRequired\":\"NOT_DEFINED\",\"modifiedUserInteraction\":\"NOT_DEFINED\",\"modifiedVulnerableSystemConfidentiality\":\"NOT_DEFINED\",\"modifiedVulnerableSystemIntegrity\":\"NOT_DEFINED\",\"modifiedVulnerableSystemAvailability\":\"NOT_DEFINED\",\"modifiedSubsequentSystemConfidentiality\":\"NOT_DEFINED\",\"modifiedSubsequentSystemIntegrity\":\"NOT_DEFINED\",\"modifiedSubsequentSystemAvailability\":\"NOT_DEFINED\",\"safety\":\"NOT_DEFINED\",\"automatable\":\"NOT_DEFINED\",\"recovery\":\"NOT_DEFINED\",\"valueDensity\":\"NOT_DEFINED\",\"vulnerabilityResponseEffort\":\"NOT_DEFINED\",\"providerUrgency\":\"NOT_DEFINED\"}}]},\"weaknesses\":[{\"source\":\"security-advisories@github.com\",\"type\":\"Secondary\",\"description\":[{\"lang\":\"en\",\"value\":\"CWE-219\"}]}],\"references\":[{\"url\":\"https://github.com/getsentry/sentry-javascript/blob/develop/packages/astro/src/integration/index.ts#L50\",\"source\":\"security-advisories@github.com\"},{\"url\":\"https://github.com/withastro/astro/blob/176fe9f113fd912f9b61e848b00bbcfecd6d5c2c/packages/astro/src/core/build/static-build.ts#L139\",\"source\":\"security-advisories@github.com\"},{\"url\":\"https://github.com/withastro/astro/issues/12703\",\"source\":\"security-advisories@github.com\"},{\"url\":\"https://github.com/withastro/astro/security/advisories/GHSA-49w6-73cw-chjr\",\"source\":\"security-advisories@github.com\"},{\"url\":\"https://github.com/withastro/astro/security/advisories/GHSA-49w6-73cw-chjr\",\"source\":\"134c704f-9b21-4f2e-91b3-4a467353bcc0\"}]}}"
  }
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.


Loading…

Loading…

Loading…

Sightings

Author Source Type Date

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or seen somewhere by the user.
  • Confirmed: The vulnerability is confirmed from an analyst perspective.
  • Exploited: This vulnerability was exploited and seen by the user reporting the sighting.
  • Patched: This vulnerability was successfully patched by the user reporting the sighting.
  • Not exploited: This vulnerability was not exploited or seen by the user reporting the sighting.
  • Not confirmed: The user expresses doubt about the veracity of the vulnerability.
  • Not patched: This vulnerability was not successfully patched by the user reporting the sighting.