Vulnerability Details CVE-2023-34238
Gatsby is a free and open source framework based on React. The Gatsby framework prior to versions 4.25.7 and 5.9.1 contain a Local File Inclusion vulnerability in the `__file-code-frame` and `__original-stack-frame` paths, exposed when running the Gatsby develop server (`gatsby develop`). Any file in scope of the development server could potentially be exposed. It should be noted that by default `gatsby develop` is only accessible via the localhost `127.0.0.1`, and one would need to intentionally expose the server to other interfaces to exploit this vulnerability by using server options such as `--host 0.0.0.0`, `-H 0.0.0.0`, or the `GATSBY_HOST=0.0.0.0` environment variable. A patch has been introduced in `gatsby@5.9.1` and `gatsby@4.25.7` which mitigates the issue. Users are advised to upgrade. Users unable to upgrade should avoid exposing their development server to the internet.
Exploit prediction scoring system (EPSS) score
EPSS Score 0.005
EPSS Ranking 62.8%
CVSS Severity
CVSS v3 Score 4.3
References
- https://github.com/gatsbyjs/gatsby/commit/ae5a654eb346b2e7a9d341b809b2f82d34c0f17c
- https://github.com/gatsbyjs/gatsby/commit/fc22f4ba3ad7ca5fb3592f38f4f0ca8ae60b4bf7
- https://github.com/gatsbyjs/gatsby/security/advisories/GHSA-c6f8-8r25-c4gc
- https://github.com/gatsbyjs/gatsby/commit/ae5a654eb346b2e7a9d341b809b2f82d34c0f17c
- https://github.com/gatsbyjs/gatsby/commit/fc22f4ba3ad7ca5fb3592f38f4f0ca8ae60b4bf7
- https://github.com/gatsbyjs/gatsby/security/advisories/GHSA-c6f8-8r25-c4gc
Products affected by CVE-2023-34238
-
cpe:2.3:a:gatsbyjs:gatsby:-
-
cpe:2.3:a:gatsbyjs:gatsby:2.14.1
-
cpe:2.3:a:gatsbyjs:gatsby:3.0.0
-
cpe:2.3:a:gatsbyjs:gatsby:3.15.2
-
cpe:2.3:a:gatsbyjs:gatsby:4.25.1
-
cpe:2.3:a:gatsbyjs:gatsby:4.25.6
-
cpe:2.3:a:gatsbyjs:gatsby:5.0.0
-
cpe:2.3:a:gatsbyjs:gatsby:5.8.1
-
cpe:2.3:a:gatsbyjs:gatsby:5.9.0