Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

chore(deps): update dependency vite to v3.2.7 [security] #56

Open
wants to merge 1 commit into
base: master
Choose a base branch
from
Open

chore(deps): update dependency vite to v3.2.7 [security] #56

wants to merge 1 commit into from

Conversation

renovate[bot]
Copy link

@renovate renovate bot commented Jun 6, 2023
edited

Mend Renovate

This PR contains the following updates:

Package Change Age Adoption Passing Confidence
vite (source) 3.2.2 -> 3.2.7 age adoption passing confidence

GitHub Vulnerability Alerts

CVE-2023-34092

Summary

The issue involves a security vulnerability in Vite, where the server options can be bypassed using a double forward slash (//). This vulnerability poses a potential security risk as it can allow unauthorized access to sensitive directories and files. This document outlines the steps to address and mitigate this issue. Adding Extra References : ## Steps to Fix. Update Vite:Ensure that you are using the latest version of Vite. Security issues like this are often fixed in newer releases.\n\n2. Secure the Server Configuration:In your vite.config.js file, review and update the server configuration options to restrict access to unauthorized requests or directories. For example:```javascript\n // vite.config.js\n export default { server: {\n fs: {\n deny: ['private-directory'] // Restrict access to specific directories

Impact

Only users explicitly exposing the Vite dev server to the network (using --host or server.host config option) are affected, and only files in the immediate Vite project root folder could be exposed.

Patches

Fixed in vite@4.3.9, vite@4.2.3, vite@4.1.5, vite@4.0.5
And in the latest minors of the previous two majors: vite@3.2.7, vite@2.9.16

Details

Vite serve the application with under the root-path of the project while running on the dev mode. By default, vite using server options fs.deny to protected the sensitive information of the file. But, with simply double forward-slash, we can bypass this fs restriction.

PoC

  1. Create a new latest project of vite using any package manager. (here I'm using react and vue templates for tested and pnpm)
  2. Serve the application on dev mode using pnpm run dev.
  3. Directly access the file from url using double forward-slash (//) (e.g: //.env, //.env.local)
  4. Server Options fs.deny restrict successfully bypassed.

Proof Images:
proof-1
proof-2

Release Notes

vitejs/vite (vite)

v3.2.7

Compare Source

Please refer to CHANGELOG.md for details.

v3.2.6

Compare Source

v3.2.5

Compare Source

v3.2.4

Compare Source

v3.2.3

Compare Source

Configuration

📅 Schedule: Branch creation - "" (UTC), Automerge - At any time (no schedule defined).

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

Rebasing: Whenever PR is behind base branch, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

  • If you want to rebase/retry this PR, check this box

This PR has been generated by Mend Renovate. View repository job log here.

@renovate renovate bot added dependencies Pull requests that update a dependency file ready for review labels Jun 6, 2023
@renovate renovate bot requested review from jonahsnider and trs June 6, 2023 18:40
@renovate renovate bot force-pushed the renovate/npm-vite-vulnerability/VF-000 branch 12 times, most recently from 5e1c2a6 to f9d4a95 Compare June 13, 2023 23:50
@renovate renovate bot force-pushed the renovate/npm-vite-vulnerability/VF-000 branch 3 times, most recently from 2a699e2 to 60c81aa Compare June 16, 2023 20:24
@renovate renovate bot force-pushed the renovate/npm-vite-vulnerability/VF-000 branch 10 times, most recently from f3d1d9b to e747b1d Compare July 12, 2023 22:15
@renovate renovate bot force-pushed the renovate/npm-vite-vulnerability/VF-000 branch from e747b1d to 610bb8f Compare July 14, 2023 02:20
@renovate renovate bot force-pushed the renovate/npm-vite-vulnerability/VF-000 branch from cff9c39 to 468c903 Compare July 19, 2023 18:17
@renovate renovate bot force-pushed the renovate/npm-vite-vulnerability/VF-000 branch 4 times, most recently from 632636e to cbb9081 Compare August 9, 2023 13:55
@renovate renovate bot force-pushed the renovate/npm-vite-vulnerability/VF-000 branch 12 times, most recently from 9ee0268 to 5f87e5b Compare August 26, 2023 05:38
@renovate renovate bot force-pushed the renovate/npm-vite-vulnerability/VF-000 branch 2 times, most recently from 3b61ac3 to 62726b6 Compare August 30, 2023 19:11
@renovate renovate bot force-pushed the renovate/npm-vite-vulnerability/VF-000 branch 6 times, most recently from 3261187 to 4a7e3b5 Compare September 28, 2023 21:27
@renovate renovate bot force-pushed the renovate/npm-vite-vulnerability/VF-000 branch 3 times, most recently from e0a57be to 1e6bef9 Compare October 12, 2023 21:50
@renovate renovate bot force-pushed the renovate/npm-vite-vulnerability/VF-000 branch from 1e6bef9 to cca24f1 Compare October 12, 2023 21:57
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@jonahsnider jonahsnider Awaiting requested review from jonahsnider

@trs trs Awaiting requested review from trs

At least 1 approving review is required to merge this pull request.

Assignees
No one assigned
Labels
dependencies Pull requests that update a dependency file ready for review
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

None yet
0 participants