2023-06-09 11:28:17 +00:00
{
"id" : "CVE-2023-34238" ,
"sourceIdentifier" : "security-advisories@github.com" ,
"published" : "2023-06-08T00:15:09.907" ,
2023-06-22 02:00:32 +00:00
"lastModified" : "2023-06-22T00:11:42.943" ,
"vulnStatus" : "Analyzed" ,
2024-07-14 02:06:08 +00:00
"cveTags" : [ ] ,
2023-06-09 11:28:17 +00:00
"descriptions" : [
{
"lang" : "en" ,
"value" : "Gatsby is a free and open source framework based on React. The Gatsby framework prior to versions 4.25.7 and 5.9.1 contain a Local File Inclusion vulnerability in the `__file-code-frame` and `__original-stack-frame` paths, exposed when running the Gatsby develop server (`gatsby develop`). Any file in scope of the development server could potentially be exposed. It should be noted that by default `gatsby develop` is only accessible via the localhost `127.0.0.1`, and one would need to intentionally expose the server to other interfaces to exploit this vulnerability by using server options such as `--host 0.0.0.0`, `-H 0.0.0.0`, or the `GATSBY_HOST=0.0.0.0` environment variable. A patch has been introduced in `gatsby@5.9.1` and `gatsby@4.25.7` which mitigates the issue. Users are advised to upgrade. Users unable to upgrade should avoid exposing their development server to the internet."
}
] ,
"metrics" : {
"cvssMetricV31" : [
2023-06-22 02:00:32 +00:00
{
"source" : "nvd@nist.gov" ,
"type" : "Primary" ,
"cvssData" : {
"version" : "3.1" ,
"vectorString" : "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N" ,
"attackVector" : "NETWORK" ,
"attackComplexity" : "LOW" ,
"privilegesRequired" : "NONE" ,
"userInteraction" : "NONE" ,
"scope" : "UNCHANGED" ,
"confidentialityImpact" : "LOW" ,
"integrityImpact" : "NONE" ,
"availabilityImpact" : "NONE" ,
"baseScore" : 5.3 ,
"baseSeverity" : "MEDIUM"
} ,
"exploitabilityScore" : 3.9 ,
"impactScore" : 1.4
} ,
2023-06-09 11:28:17 +00:00
{
"source" : "security-advisories@github.com" ,
"type" : "Secondary" ,
"cvssData" : {
"version" : "3.1" ,
"vectorString" : "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N" ,
"attackVector" : "NETWORK" ,
"attackComplexity" : "LOW" ,
"privilegesRequired" : "LOW" ,
"userInteraction" : "NONE" ,
"scope" : "UNCHANGED" ,
"confidentialityImpact" : "LOW" ,
"integrityImpact" : "NONE" ,
"availabilityImpact" : "NONE" ,
"baseScore" : 4.3 ,
"baseSeverity" : "MEDIUM"
} ,
"exploitabilityScore" : 2.8 ,
"impactScore" : 1.4
}
]
} ,
"weaknesses" : [
{
2023-06-22 02:00:32 +00:00
"source" : "nvd@nist.gov" ,
2023-06-09 11:28:17 +00:00
"type" : "Primary" ,
2023-06-22 02:00:32 +00:00
"description" : [
{
"lang" : "en" ,
"value" : "NVD-CWE-noinfo"
}
]
} ,
{
"source" : "security-advisories@github.com" ,
"type" : "Secondary" ,
2023-06-09 11:28:17 +00:00
"description" : [
{
"lang" : "en" ,
"value" : "CWE-22"
}
]
}
] ,
2023-06-22 02:00:32 +00:00
"configurations" : [
{
"nodes" : [
{
"operator" : "OR" ,
"negate" : false ,
"cpeMatch" : [
{
"vulnerable" : true ,
"criteria" : "cpe:2.3:a:gatsbyjs:gatsby:*:*:*:*:*:node.js:*:*" ,
"versionEndExcluding" : "4.25.7" ,
"matchCriteriaId" : "1440439C-1B43-4FD0-827C-494618E603FE"
} ,
{
"vulnerable" : true ,
"criteria" : "cpe:2.3:a:gatsbyjs:gatsby:*:*:*:*:*:node.js:*:*" ,
"versionStartIncluding" : "5.0.0" ,
"versionEndExcluding" : "5.9.1" ,
"matchCriteriaId" : "5884BD00-9554-40D4-9191-11FD8B156579"
}
]
}
]
}
] ,
2023-06-09 11:28:17 +00:00
"references" : [
{
"url" : "https://github.com/gatsbyjs/gatsby/commit/ae5a654eb346b2e7a9d341b809b2f82d34c0f17c" ,
2023-06-22 02:00:32 +00:00
"source" : "security-advisories@github.com" ,
"tags" : [
"Patch"
]
2023-06-09 11:28:17 +00:00
} ,
{
"url" : "https://github.com/gatsbyjs/gatsby/commit/fc22f4ba3ad7ca5fb3592f38f4f0ca8ae60b4bf7" ,
2023-06-22 02:00:32 +00:00
"source" : "security-advisories@github.com" ,
"tags" : [
"Patch"
]
2023-06-09 11:28:17 +00:00
} ,
{
"url" : "https://github.com/gatsbyjs/gatsby/security/advisories/GHSA-c6f8-8r25-c4gc" ,
2023-06-22 02:00:32 +00:00
"source" : "security-advisories@github.com" ,
"tags" : [
"Exploit" ,
"Mitigation" ,
"Vendor Advisory"
]
2023-06-09 11:28:17 +00:00
}
]
}
