CVE-2024-48914: Vendure asset server plugin has local file read vulnerability with AssetServerPlugin & LocalAssetStorageStrategy

October 15, 2024

This vulnerability allows an attacker to craft a request which is able to traverse the server file system and retrieve the contents of arbitrary files, including sensitive data such as configuration files, environment variables, and other critical data stored on the server.

References

github.com/advisories/GHSA-r9mq-3c9r-fmjq
github.com/vendure-ecommerce/vendure
github.com/vendure-ecommerce/vendure/blob/801980e8f599c28c5059657a9d85dd03e3827992/packages/asset-server-plugin/src/plugin.ts
github.com/vendure-ecommerce/vendure/commit/e2ee0c43159b3d13b51b78654481094fdd4850c5
github.com/vendure-ecommerce/vendure/commit/e4b58af6822d38a9c92a1d8573e19288b8edaa1c
github.com/vendure-ecommerce/vendure/security/advisories/GHSA-r9mq-3c9r-fmjq
nvd.nist.gov/vuln/detail/CVE-2024-48914

Code Behaviors & Features

Detect and mitigate CVE-2024-48914 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →