admin/nvd-json-data-feeds
1
0
Fork 0
mirror of https://github.com/fkie-cad/nvd-json-data-feeds.git synced 2025-05-28 09:11:28 +00:00
Code Issues Packages Projects Releases Wiki Activity
nvd-json-data-feeds/CVE-2025/CVE-2025-249xx/CVE-2025-24963.json
cad-safe-bot 03e4a37847 Auto-Update: 2025-02-16T03:00:21.640882+00:00
2025-02-16 03:03:51 +00:00

72 lines
3.5 KiB
JSON
Raw Blame History

{
"id": "CVE-2025-24963",
"sourceIdentifier": "security-advisories@github.com",
"published": "2025-02-04T20:15:50.330",
"lastModified": "2025-02-04T20:15:50.330",
"vulnStatus": "Awaiting Analysis",
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "Vitest is a testing framework powered by Vite. The `__screenshot-error` handler on the browser mode HTTP server that responds any file on the file system. Especially if the server is exposed on the network by `browser.api.host: true`, an attacker can send a request to that handler from remote to get the content of arbitrary files.This `__screenshot-error` handler on the browser mode HTTP server responds any file on the file system. This code was added by commit `2d62051`. Users explicitly exposing the browser mode server to the network by `browser.api.host: true` may get any files exposed. This issue has been addressed in versions 2.1.9 and 3.0.4. Users are advised to upgrade. There are no known workarounds for this vulnerability."
},
{
"lang": "es",
"value": "Vitest es un framework de prueba desarrollado por Vite. El controlador `__screenshot-error` en el servidor HTTP en modo navegador que responde a cualquier archivo en el archivo sistema. Especialmente si el servidor est\u00e1 expuesto en la red por `browser.api.host: true`, un atacante puede enviar una solicitud a ese controlador desde el control remoto para obtener el contenido de archivos arbitrarios. Este controlador `__screenshot-error` en el servidor HTTP en modo navegador responde a cualquier archivo en el tallo sistema. Este c\u00f3digo fue agregado por commit `2d62051`. Los usuarios que expongan expl\u00edcitamente el servidor en modo navegador a la red por `browser.api.host: true` pueden exponer cualquier archivo. Este problema se ha solucionado en las versiones 2.1.9 y 3.0.4. Se recomienda a los usuarios que actualicen. No se conocen workarounds para esta vulnerabilidad."
}
],
"metrics": {
"cvssMetricV31": [
{
"source": "security-advisories@github.com",
"type": "Secondary",
"cvssData": {
"version": "3.1",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N",
"baseScore": 5.9,
"baseSeverity": "MEDIUM",
"attackVector": "NETWORK",
"attackComplexity": "HIGH",
"privilegesRequired": "NONE",
"userInteraction": "NONE",
"scope": "UNCHANGED",
"confidentialityImpact": "HIGH",
"integrityImpact": "NONE",
"availabilityImpact": "NONE"
},
"exploitabilityScore": 2.2,
"impactScore": 3.6
}
]
},
"weaknesses": [
{
"source": "security-advisories@github.com",
"type": "Primary",
"description": [
{
"lang": "en",
"value": "CWE-22"
}
]
}
],
"references": [
{
"url": "https://github.com/vitest-dev/vitest/blob/f17918a79969d27a415f70431e08a9445b051e45/packages/browser/src/node/plugin.ts#L88-L130",
"source": "security-advisories@github.com"
},
{
"url": "https://github.com/vitest-dev/vitest/commit/2d62051f13b4b0939b2f7e94e88006d830dc4d1f",
"source": "security-advisories@github.com"
},
{
"url": "https://github.com/vitest-dev/vitest/security/advisories/GHSA-8gvc-j273-4wm5",
"source": "security-advisories@github.com"
},
{
"url": "https://vitest.dev/guide/browser/config.html#browser-api",
"source": "security-advisories@github.com"
}
]
}
Reference in New Issue View Git Blame Copy Permalink