[Security] Bump vite from 5.0.11 to 5.0.12 in /webapp
Bumps vite from 5.0.11 to 5.0.12. This update includes a security fix.
Vulnerabilities fixed
Vite dev server option
server.fs.deny
can be bypassed when hosted on case-insensitive filesystemSummary
Vite dev server option
server.fs.deny
can be bypassed on case-insensitive file systems using case-augmented versions of filenames. Notably this affects servers hosted on Windows.This bypass is similar to https://nvd.nist.gov/vuln/detail/CVE-2023-34092 -- with surface area reduced to hosts having case-insensitive filesystems.
Patches
Fixed in vite@5.0.12, vite@4.5.2, vite@3.2.8, vite@2.9.17
Details
Since
picomatch
defaults to case-sensitive glob matching, but the file server doesn't discriminate; a blacklist bypass is possible.See
picomatch
usage, wherenocase
is defaulted tofalse
: https://github.com/vitejs/vite/blob/v5.1.0-beta.1/packages/vite/src/node/server/index.ts#L632By requesting raw filesystem paths using augmented casing, the matcher derived from
config.server.fs.deny
fails to block access to sensitive files.PoC
Setup
- Created vanilla Vite project using
npm create vite@latest
on a Standard Azure hosted Windows 10 instance.
npm run dev -- --host 0.0.0.0
- Publicly accessible for the time being here: http://20.12.242.81:5173/
... (truncated)
Patched versions: 5.0.12 Affected versions: >= 5.0.0, <= 5.0.11
Commits
Dependabot commands
You can trigger Dependabot actions by commenting on this MR
-
$dependabot rebase
will rebase this MR -
$dependabot recreate
will recreate this MR rewriting all the manual changes and resolving conflicts