Information disclosure in Gatsby

#VU77149 Information disclosure in Gatsby

Published: 2023-06-12

Vulnerability identifier: #VU77149

Vulnerability risk: Low

CVSSv3.1: 3.8 [CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N/E:U/RL:O/RC:C]

CVE-ID: CVE-2023-34238

CWE-ID: CWE-200

Exploitation vector: Network

Exploit availability: No

Vulnerable software:
Gatsby
Web applications / Modules and components for CMS

Vendor: Gatsby

Description

The vulnerability allows a remote attacker to gain access to potentially sensitive information.

The vulnerability exists due to a local file inclusion issue in the "__file-code-frame" and "__original-stack-frame" paths. A remote attacker can gain unauthorized access to sensitive information on the system.

Mitigation
Install updates from vendor's website.

Vulnerable software versions

Gatsby: 4.25.0 - 5.9.0

External links
http://github.com/gatsbyjs/gatsby/commit/fc22f4ba3ad7ca5fb3592f38f4f0ca8ae60b4bf7
http://github.com/gatsbyjs/gatsby/security/advisories/GHSA-c6f8-8r25-c4gc
http://github.com/gatsbyjs/gatsby/commit/ae5a654eb346b2e7a9d341b809b2f82d34c0f17c

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote authenticated user via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

Latest bulletins with this vulnerability

Local File Inclusion in Gatsby