CVE-2024-32982
Litestar and Starlite affected by Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')
Severity Score
Exploit Likelihood
Affected Versions
Public Exploits
0Exploited in Wild
-Decision
Descriptions
Litestar and Starlite is an Asynchronous Server Gateway Interface (ASGI) framework. Prior to 2.8.3, 2.7.2, and 2.6.4, a Local File Inclusion (LFI) vulnerability has been discovered in the static file serving component of LiteStar. This vulnerability allows attackers to exploit path traversal flaws, enabling unauthorized access to sensitive files outside the designated directories. Such access can lead to the disclosure of sensitive information or potentially compromise the server. The vulnerability is located in the file path handling mechanism within the static content serving function, specifically at `litestar/static_files/base.py`. This vulnerability is fixed in versions 2.8.3, 2.7.2, and 2.6.4.
Litestar y Starlite es un framework de interfaz de puerta de enlace de servidor asíncrono (ASGI). Antes de las versiones 2.8.3, 2.7.2 y 2.6.4, se descubrió una vulnerabilidad de inclusión de archivos locales (LFI) en el componente de servicio de archivos estáticos de LiteStar. Esta vulnerabilidad permite a los atacantes explotar fallas de path traversal, permitiendo el acceso no autorizado a archivos confidenciales fuera de los directorios designados. Dicho acceso puede dar lugar a la divulgación de información confidencial o potencialmente comprometer el servidor. La vulnerabilidad se encuentra en el mecanismo de manejo de rutas de archivos dentro de la función de servicio de contenido estático, específicamente en `litestar/static_files/base.py`. Esta vulnerabilidad se solucionó en las versiones 2.8.3, 2.7.2 y 2.6.4.
CVSS Scores
SSVC
- Decision:Attend
Timeline
- 2024-04-22 CVE Reserved
- 2024-05-06 CVE Published
- 2024-05-07 EPSS Updated
- 2024-08-02 CVE Updated
- ---------- Exploited in Wild
- ---------- KEV Due Date
- ---------- First Exploit
CWE
- CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')
CAPEC
References (3)
| URL | Tag | Source |
|---|---|---|
| https://github.com/litestar-org/litestar/blob/main/litestar/static_files/base.py#L70 | X_refsource_misc | |
| https://github.com/litestar-org/litestar/commit/57e706e7effdc182fc9a2af5981bc88afb21851b | X_refsource_misc | |
| https://github.com/litestar-org/litestar/security/advisories/GHSA-83pv-qr33-2vcf | X_refsource_confirm |
| URL | Date | SRC |
|---|
| URL | Date | SRC |
|---|
| URL | Date | SRC |
|---|
Affected Vendors, Products, and Versions
| Vendor | Product | Version | Other | Status | ||||||
|---|---|---|---|---|---|---|---|---|---|---|
| Vendor | Product | Version | Other | Status | <-- --> | Vendor | Product | Version | Other | Status |
| Litestar-org Search vendor "Litestar-org" | Litestar Search vendor "Litestar-org" for product "Litestar" | >= 2.8.0 < 2.8.3 Search vendor "Litestar-org" for product "Litestar" and version " >= 2.8.0 < 2.8.3" | en |
Affected
| ||||||
| Litestar-org Search vendor "Litestar-org" | Litestar Search vendor "Litestar-org" for product "Litestar" | >= 1.37.0 <= 1.51.14 Search vendor "Litestar-org" for product "Litestar" and version " >= 1.37.0 <= 1.51.14" | en |
Affected
| ||||||
| Litestar-org Search vendor "Litestar-org" | Litestar Search vendor "Litestar-org" for product "Litestar" | >= 2.7.0 < 2.7.2 Search vendor "Litestar-org" for product "Litestar" and version " >= 2.7.0 < 2.7.2" | en |
Affected
| ||||||
| Litestar-org Search vendor "Litestar-org" | Litestar Search vendor "Litestar-org" for product "Litestar" | >= 2.0.0 < 2.6.4 Search vendor "Litestar-org" for product "Litestar" and version " >= 2.0.0 < 2.6.4" | en |
Affected
| ||||||