-
Notifications
You must be signed in to change notification settings - Fork 2
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
chore(deps): update dependency vite to v5.4.6 [security] #1601
base: main
Are you sure you want to change the base?
Conversation
f8761a5
to
064dc2d
Compare
064dc2d
to
5905be0
Compare
5905be0
to
bbb20e7
Compare
bbb20e7
to
23fb246
Compare
23fb246
to
9b24824
Compare
9b24824
to
e3b54cc
Compare
e3b54cc
to
c50d4a7
Compare
c50d4a7
to
d9d5444
Compare
d9d5444
to
ef2658f
Compare
ef2658f
to
9a12afb
Compare
a7ae994
to
382dd9c
Compare
382dd9c
to
cb2019d
Compare
cb2019d
to
a924017
Compare
300b01f
to
6bfc537
Compare
6bfc537
to
ed5563a
Compare
ed5563a
to
f7ab665
Compare
f7ab665
to
1a0aa1f
Compare
1a0aa1f
to
4153467
Compare
4153467
to
5c9e5b0
Compare
5c9e5b0
to
ad8d451
Compare
ad8d451
to
c235330
Compare
c235330
to
3022823
Compare
3022823
to
6598350
Compare
6598350
to
1432f43
Compare
1432f43
to
9a22890
Compare
Quality Gate passed for 'onroutebc_scheduler'Issues Measures |
Quality Gate passed for 'onroutebc_policy'Issues Measures |
Quality Gate passed for 'onroutebc dops'Issues Measures |
Quality Gate passed for 'onroutebc vehicles'Issues Measures |
Quality Gate passed for 'onroutebc frontend'Issues Measures |
This PR contains the following updates:
5.4.2
->5.4.6
GitHub Vulnerability Alerts
CVE-2024-45811
Summary
The contents of arbitrary files can be returned to the browser.
Details
@fs
denies access to files outside of Vite serving allow list. Adding?import&raw
to the URL bypasses this limitation and returns the file content if it exists.PoC
CVE-2024-45812
Summary
We discovered a DOM Clobbering vulnerability in Vite when building scripts to
cjs
/iife
/umd
output format. The DOM Clobbering gadget in the module can lead to cross-site scripting (XSS) in web pages where scriptless attacker-controlled HTML elements (e.g., an img tag with an unsanitized name attribute) are present.Note that, we have identified similar security issues in Webpack: GHSA-4vvj-4cpr-p986
Details
Backgrounds
DOM Clobbering is a type of code-reuse attack where the attacker first embeds a piece of non-script, seemingly benign HTML markups in the webpage (e.g. through a post or comment) and leverages the gadgets (pieces of js code) living in the existing javascript code to transform it into executable code. More for information about DOM Clobbering, here are some references:
[1] https://scnps.co/papers/sp23_domclob.pdf
[2] https://research.securitum.com/xss-in-amp4email-dom-clobbering/
Gadgets found in Vite
We have identified a DOM Clobbering vulnerability in Vite bundled scripts, particularly when the scripts dynamically import other scripts from the assets folder and the developer sets the build output format to
cjs
,iife
, orumd
. In such cases, Vite replaces relative paths starting with__VITE_ASSET__
using the URL retrieved fromdocument.currentScript
.However, this implementation is vulnerable to a DOM Clobbering attack. The
document.currentScript
lookup can be shadowed by an attacker via the browser's named DOM tree element access mechanism. This manipulation allows an attacker to replace the intended script element with a malicious HTML element. When this happens, the src attribute of the attacker-controlled element is used as the URL for importing scripts, potentially leading to the dynamic loading of scripts from an attacker-controlled server.PoC
Considering a website that contains the following
main.js
script, the devloper decides to use the Vite to bundle up the program with the following configuration.After running the build command, the developer will get following bundle as the output.
Adding the Vite bundled script,
dist/index-DDmIg9VD.js
, as part of the web page source code, the page could load theextra.js
file from the attacker's domain,attacker.controlled.server
. The attacker only needs to insert animg
tag with thename
attribute set tocurrentScript
. This can be done through a website's feature that allows users to embed certain script-less HTML (e.g., markdown renderers, web email clients, forums) or via an HTML injection vulnerability in third-party JavaScript loaded on the page.Impact
This vulnerability can result in cross-site scripting (XSS) attacks on websites that include Vite-bundled files (configured with an output format of
cjs
,iife
, orumd
) and allow users to inject certain scriptless HTML tags without properly sanitizing the name or id attributes.Patch
Release Notes
vitejs/vite (vite)
v5.4.6
Compare Source
Please refer to CHANGELOG.md for details.
v5.4.5
Compare Source
Please refer to CHANGELOG.md for details.
v5.4.4
Compare Source
Please refer to CHANGELOG.md for details.
v5.4.3
Compare Source
file://
reference (#17909) (561b940), closes #17909Configuration
📅 Schedule: Branch creation - "" (UTC), Automerge - At any time (no schedule defined).
🚦 Automerge: Enabled.
♻ Rebasing: Whenever PR is behind base branch, or you tick the rebase/retry checkbox.
🔕 Ignore: Close this PR and you won't be reminded about this update again.
This PR was generated by Mend Renovate. View the repository job log.
Thanks for the PR!
Deployments, as required, will be available below:
Please create PRs in draft mode. Mark as ready to enable:
After merge, new images are promoted to: