SCA: security update for @vendure/asset-server-plugin (GHSA-r9mq-3c9r-fmjq)

critical Tenable Cloud Security Plugin ID 418633

Description

There are packages installed that are affected by a vulnerability referenced in the following CVE:

- Vendure is an open-source headless commerce platform. Prior to versions 3.0.5 and 2.3.3, a vulnerability
in Vendure's asset server plugin allows an attacker to craft a request which is able to traverse the
server file system and retrieve the contents of arbitrary files, including sensitive data such as
configuration files, environment variables, and other critical data stored on the server. In the same code
path is an additional vector for crashing the server via a malformed URI. Patches are available in
versions 3.0.5 and 2.3.3. Some workarounds are also available. One may use object storage rather than the
local file system, e.g. MinIO or S3, or define middleware which detects and blocks requests with urls
containing `/../`. (CVE-2024-48914)

See Also

https://github.com/advisories/GHSA-r9mq-3c9r-fmjq

Plugin Details

Severity: Critical

ID: 418633

Version: Revision 1.7

Type: Local

Family: SCA Checks

Published: 1/23/2025

Updated: 7/2/2026

Supported Sensors: Tenable Cloud Security, Tenable Self-Hosted Container Security

Risk Information

VPR

Risk Factor: Medium

Score: 4.3

Percentile: 53.2

Vendor

Vendor Severity: Critical

CVSS v2

Risk Factor: High

Base Score: 9.4

Temporal Score: 7.4

Vector: CVSS2#AV:N/AC:L/Au:N/C:C/I:N/A:C

CVSS Score Source: CVE-2024-48914

CVSS v3

Risk Factor: Critical

Base Score: 9.1

Temporal Score: 8.2

Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:H

Temporal Vector: CVSS:3.0/E:P/RL:O/RC:C

Vulnerability Information

Exploit Available: true

Exploit Ease: Exploits are available

Patch Publication Date: 10/15/2024

Vulnerability Publication Date: 10/15/2024

Reference Information

CVE: CVE-2024-48914