FKIE_CVE-2024-32982

Vulnerability from fkie_nvd - Published: 2024-05-06 15:15 - Updated: 2024-11-21 09:16
Severity ?
8.2 (High) - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:N
Summary
Litestar and Starlite is an Asynchronous Server Gateway Interface (ASGI) framework. Prior to 2.8.3, 2.7.2, and 2.6.4, a Local File Inclusion (LFI) vulnerability has been discovered in the static file serving component of LiteStar. This vulnerability allows attackers to exploit path traversal flaws, enabling unauthorized access to sensitive files outside the designated directories. Such access can lead to the disclosure of sensitive information or potentially compromise the server. The vulnerability is located in the file path handling mechanism within the static content serving function, specifically at `litestar/static_files/base.py`. This vulnerability is fixed in versions 2.8.3, 2.7.2, and 2.6.4.
References
security-advisories@github.comhttps://github.com/litestar-org/litestar/blob/main/litestar/static_files/base.py#L70
security-advisories@github.comhttps://github.com/litestar-org/litestar/commit/57e706e7effdc182fc9a2af5981bc88afb21851b
security-advisories@github.comhttps://github.com/litestar-org/litestar/security/advisories/GHSA-83pv-qr33-2vcf
af854a3a-2127-422b-91ae-364da2661108https://github.com/litestar-org/litestar/blob/main/litestar/static_files/base.py#L70
af854a3a-2127-422b-91ae-364da2661108https://github.com/litestar-org/litestar/commit/57e706e7effdc182fc9a2af5981bc88afb21851b
af854a3a-2127-422b-91ae-364da2661108https://github.com/litestar-org/litestar/security/advisories/GHSA-83pv-qr33-2vcf
Impacted products
Vendor Product Version
To clipboard 

{
  "cveTags": [],
  "descriptions": [
    {
      "lang": "en",
      "value": "Litestar and Starlite is an Asynchronous Server Gateway Interface (ASGI) framework. Prior to 2.8.3, 2.7.2, and 2.6.4, a Local File Inclusion (LFI) vulnerability has been discovered in the static file serving component of LiteStar. This vulnerability allows attackers to exploit path traversal flaws, enabling unauthorized access to sensitive files outside the designated directories. Such access can lead to the disclosure of sensitive information or potentially compromise the server. The vulnerability is located in the file path handling mechanism within the static content serving function, specifically at `litestar/static_files/base.py`. This vulnerability is fixed in versions 2.8.3, 2.7.2, and 2.6.4."
    },
    {
      "lang": "es",
      "value": "Litestar y Starlite es un framework de interfaz de puerta de enlace de servidor as\u00edncrono (ASGI). Antes de las versiones 2.8.3, 2.7.2 y 2.6.4, se descubri\u00f3 una vulnerabilidad de inclusi\u00f3n de archivos locales (LFI) en el componente de servicio de archivos est\u00e1ticos de LiteStar. Esta vulnerabilidad permite a los atacantes explotar fallas de path traversal, permitiendo el acceso no autorizado a archivos confidenciales fuera de los directorios designados. Dicho acceso puede dar lugar a la divulgaci\u00f3n de informaci\u00f3n confidencial o potencialmente comprometer el servidor. La vulnerabilidad se encuentra en el mecanismo de manejo de rutas de archivos dentro de la funci\u00f3n de servicio de contenido est\u00e1tico, espec\u00edficamente en `litestar/static_files/base.py`. Esta vulnerabilidad se solucion\u00f3 en las versiones 2.8.3, 2.7.2 y 2.6.4."
    }
  ],
  "id": "CVE-2024-32982",
  "lastModified": "2024-11-21T09:16:09.857",
  "metrics": {
    "cvssMetricV31": [
      {
        "cvssData": {
          "attackComplexity": "LOW",
          "attackVector": "NETWORK",
          "availabilityImpact": "NONE",
          "baseScore": 8.2,
          "baseSeverity": "HIGH",
          "confidentialityImpact": "HIGH",
          "integrityImpact": "LOW",
          "privilegesRequired": "NONE",
          "scope": "UNCHANGED",
          "userInteraction": "NONE",
          "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:N",
          "version": "3.1"
        },
        "exploitabilityScore": 3.9,
        "impactScore": 4.2,
        "source": "security-advisories@github.com",
        "type": "Secondary"
      }
    ]
  },
  "published": "2024-05-06T15:15:23.330",
  "references": [
    {
      "source": "security-advisories@github.com",
      "url": "https://github.com/litestar-org/litestar/blob/main/litestar/static_files/base.py#L70"
    },
    {
      "source": "security-advisories@github.com",
      "url": "https://github.com/litestar-org/litestar/commit/57e706e7effdc182fc9a2af5981bc88afb21851b"
    },
    {
      "source": "security-advisories@github.com",
      "url": "https://github.com/litestar-org/litestar/security/advisories/GHSA-83pv-qr33-2vcf"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "url": "https://github.com/litestar-org/litestar/blob/main/litestar/static_files/base.py#L70"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "url": "https://github.com/litestar-org/litestar/commit/57e706e7effdc182fc9a2af5981bc88afb21851b"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "url": "https://github.com/litestar-org/litestar/security/advisories/GHSA-83pv-qr33-2vcf"
    }
  ],
  "sourceIdentifier": "security-advisories@github.com",
  "vulnStatus": "Awaiting Analysis",
  "weaknesses": [
    {
      "description": [
        {
          "lang": "en",
          "value": "CWE-22"
        }
      ],
      "source": "security-advisories@github.com",
      "type": "Secondary"
    }
  ]
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.




Sightings

Author Source Type Date

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or observed by the user.
  • Confirmed: The vulnerability has been validated from an analyst's perspective.
  • Published Proof of Concept: A public proof of concept is available for this vulnerability.
  • Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
  • Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
  • Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
  • Not confirmed: The user expressed doubt about the validity of the vulnerability.
  • Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.



Detection rules are retrieved from Rulezet.