CVE-2024-48914 (CVSS 9.1): Critical File Read Flaw Discovered in Vendure E-commerce Platform

CVE-2024-48914

Vendure, a popular open-source headless commerce platform, has patched a critical security vulnerability that could allow attackers to read arbitrary files from the server, potentially exposing sensitive information like configuration files and environment variables.

The vulnerability, tracked as CVE-2024-48914 and assigned a CVSS score of 9.1, stems from a path traversal issue in the AssetServerPlugin when used with the LocalAssetStorageStrategy. This flaw allows attackers to craft malicious requests that exploit the lack of proper path normalization to access files outside the intended directory.

Security researcher Rajesh Sharma, who discovered the vulnerability, provided a proof-of-concept (POC) demonstrating how an attacker could retrieve the contents of the package.json file:

curl --path-as-is http://localhost:3000/assets/../package.json

If the vendure service is behind some server like nginx, apache, etc. Path normalization is performed on the root server level but still the actual client’s request path will be sent to vendure service but not the resultant normalized path,” Sharma explains in the advisory. “However, depending the type of root server one can try various payloads to bypass such normalization.”

Sharma also identified a denial-of-service (DoS) vector in the same code path. By sending a request with an incorrectly encoded URI, an attacker could crash the server.

curl --path-as-is http://localhost:3000/assets/%80package.json

When these malformed requests are processed, they can lead to system crashes or resource exhaustion, rendering the service unavailable to users,” the advisory warns.

Impact and Remediation

This vulnerability poses a significant risk to Vendure users who utilize the LocalAssetStorageStrategy, as it could allow attackers to steal sensitive data and disrupt service availability.

Vendure has addressed the vulnerability in versions 3.0.5 and 2.3.3 and urges users to update their installations immediately. As a workaround, the advisory recommends using object storage like MinIO or S3 instead of the local file system or implementing middleware to block requests with potentially malicious URLs.

With a CVSS score of 9.1, CVE-2024-48914 represents a significant threat to any organization running vulnerable versions of Vendure. Whether through path traversal or denial of service attacks, malicious actors have the potential to gain access to sensitive files or disable the service entirely. Vendure users should upgrade to the patched versions or apply the recommended workarounds without delay to mitigate these critical risks.

Related Posts: