CVE-2024-32982: Litestar and Starlite affected by Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')

Get alerts for future matching vulnerabilitiesLog in to subscribe

I. Basic Information for CVE-2024-32982

Vulnerability Information

Have questions about the vulnerability? See if Shenlong's analysis helps!

Although we use advanced large model technology, its output may still contain inaccurate or outdated information.Shenlong tries to ensure data accuracy, but please verify and judge based on the actual situation.

Vulnerability Title

Litestar and Starlite affected by Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')

Source: NVD (National Vulnerability Database)

Vulnerability Description

Litestar and Starlite is an Asynchronous Server Gateway Interface (ASGI) framework. Prior to 2.8.3, 2.7.2, and 2.6.4, a Local File Inclusion (LFI) vulnerability has been discovered in the static file serving component of LiteStar. This vulnerability allows attackers to exploit path traversal flaws, enabling unauthorized access to sensitive files outside the designated directories. Such access can lead to the disclosure of sensitive information or potentially compromise the server. The vulnerability is located in the file path handling mechanism within the static content serving function, specifically at `litestar/static_files/base.py`. This vulnerability is fixed in versions 2.8.3, 2.7.2, and 2.6.4.

Source: NVD (National Vulnerability Database)

CVSS Information

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:N

Source: NVD (National Vulnerability Database)

Vulnerability Type

对路径名的限制不恰当(路径遍历)

Source: NVD (National Vulnerability Database)

Vulnerability Title

Litestar 安全漏洞

Source: CNNVD (China National Vulnerability Database)

Vulnerability Description

Litestar是Litestar开源的一个强大、灵活但固执己见的 ASGI 框架。 Litestar存在安全漏洞。攻击者利用该漏洞可以获取敏感信息。

Source: CNNVD (China National Vulnerability Database)

CVSS Information

N/A

Source: CNNVD (China National Vulnerability Database)

Vulnerability Type

N/A

Source: CNNVD (China National Vulnerability Database)

Affected Products

Vendor	Product	Affected Versions	CPE	Subscribe
litestar-org	litestar	>= 2.8.0, < 2.8.3	-

II. Public POCs for CVE-2024-32982

#	POC Description	Source Link	Shenlong Link

AI-Generated POCPremium

No public POC found.

III. Intelligence Information for CVE-2024-32982

Please Login to view more intelligence information

https://github.com/litestar-org/litestar/security/advisories/GHSA-83pv-qr33-2vcfx_refsource_CONFIRM
https://github.com/litestar-org/litestar/blob/main/litestar/static_files/base.py#L70x_refsource_MISC
https://github.com/litestar-org/litestar/commit/57e706e7effdc182fc9a2af5981bc88afb21851bx_refsource_MISC
https://nvd.nist.gov/vuln/detail/CVE-2024-32982

New Vulnerabilities

Product: litestar

Vendor: litestar-org

Same weakness: CWE-22

V. Comments for CVE-2024-32982

No comments yet

Support Us — Your donation helps us keep running

I. Basic Information for CVE-2024-32982

Vulnerability Information

Vulnerability Title

Vulnerability Description

CVSS Information

Vulnerability Type

Vulnerability Title

Vulnerability Description

CVSS Information

Vulnerability Type

Affected Products

II. Public POCs for CVE-2024-32982

III. Intelligence Information for CVE-2024-32982

New Vulnerabilities

V. Comments for CVE-2024-32982

Leave a comment