CVE-2024-11314

Relative Path Traversal (CWE-23)

Published: Nov 18, 2024 / Updated: 1d ago

010
CVSS 9.8EPSS 0.09%Critical
CVE info copied to clipboard

Summary

The DVC from TRCore has a Path Traversal vulnerability and does not restrict the types of uploaded files. This allows unauthenticated remote attackers to upload arbitrary files to any directory, leading to arbitrary code execution by uploading webshells.

Impact

This vulnerability allows unauthenticated remote attackers to upload arbitrary files to any directory on the affected system. The impact is severe as it can lead to arbitrary code execution through the upload of webshells. This could result in complete system compromise, including unauthorized access to sensitive data, modification of system files, and potential use of the compromised system as a launching point for further attacks. The vulnerability affects the confidentiality, integrity, and availability of the system, all rated as "HIGH" impact.

Exploitation

There is no evidence that a public proof-of-concept exists. There is no evidence of proof of exploitation at the moment.

Patch

As of the latest information provided (2024-11-18), there is no mention of an available patch for this vulnerability. The security team should closely monitor vendor announcements for TRCore DVC for any upcoming security updates or patches.

Mitigation

While awaiting a patch, consider the following mitigation strategies: 1. Implement strict network access controls to limit who can reach the DVC component. 2. Use Web Application Firewalls (WAF) to filter and monitor HTTP traffic to the affected systems. 3. Implement file upload validation and sanitization mechanisms if possible. 4. Regular monitoring and auditing of file systems for unauthorized changes or suspicious files. 5. Apply the principle of least privilege to all systems and services interacting with the DVC. 6. Consider temporarily disabling file upload functionality if it's not critical for operations.

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Timeline

CVE Assignment

NVD published the first details for CVE-2024-11314

Nov 18, 2024 at 7:15 AM
CVSS

A CVSS base score of 9.8 has been assigned.

Nov 18, 2024 at 7:20 AM / nvd
First Article

Feedly found the first article mentioning CVE-2024-11314. See article

Nov 18, 2024 at 7:27 AM / National Vulnerability Database
CVSS Estimate

Feedly estimated the CVSS score as HIGH

Nov 18, 2024 at 7:27 AM
EPSS

EPSS Score was set to: 0.09% (Percentile: 40.3%)

Nov 19, 2024 at 9:42 AM
Static CVE Timeline Graph

Links to Mitre Att&cks

T1574.010: Services File Permissions Weakness
+null more

Attack Patterns

CAPEC-139: Relative Path Traversal
+null more

News

Critical - CVE-2024-11314 - The DVC from TRCore has a Path Traversal...
The DVC from TRCore has a Path Traversal vulnerability and does not restrict the types of uploaded files. This allows unauthenticated remote attackers to upload arbitrary files to any directory,...
CVE-2024-11314 | TRCore DVC up to 6.3 path traversal
A vulnerability was found in TRCore DVC up to 6.3 . It has been declared as very critical . Affected by this vulnerability is an unknown functionality. The manipulation leads to relative path traversal. This vulnerability is known as CVE-2024-11314 . The attack can be launched remotely. There is no exploit available.
CVE-2024-11314 - TRCore DVC Path Traversal and Unrestricted File Upload Vulnerability November 18, 2024 at 07:15AM https:// ift.tt/5vDyAoK # CVE # IOC # CTI # ThreatIntelligence # ThreatIntel # Cybersecurity # Recon
TRCore DVC - Arbitrary File Upload through Path Traversal
Trcore - CRITICAL - CVE-2024-11314 The DVC from TRCore has a Path Traversal vulnerability and does not restrict the types of uploaded files. This allows unauthenticated remote attackers to upload arbitrary files to any directory, leading to arbitrary code execution by uploading webshells.
CVE-2024-11314 - TRCore DVC Path Traversal and Unrestricted File Upload Vulnerability
CVE ID : CVE-2024-11314 Published : Nov. 18, 2024, 7:15 a.m. 45 minutes ago Description : The DVC from TRCore has a Path Traversal vulnerability and does not restrict the types of uploaded files. This allows unauthenticated remote attackers to upload arbitrary files to any directory, leading to arbitrary code execution by uploading webshells. Severity: 9.8
See 3 more articles and social media posts

CVSS V3.1

Attack Vector:Network
Attack Complexity:Low
Privileges Required:None
User Interaction:None
Scope:Unchanged
Confidentiality:High
Integrity:High
Availability Impact:High

Categories

Be the first to know about critical vulnerabilities

Collect, analyze, and share vulnerability reports faster using AI