CVE-2024-34995

Path Equivalence: 'fakedir/../realdir/filename' (CWE-57)

Published: May 24, 2024 / Updated: 5mo ago

010
CVSS 4.3No EPSS yetMedium
CVE info copied to clipboard

Summary

svnWebUI v1.8.3 was discovered to contain an arbitrary file deletion vulnerability via the dirTemps parameter under com.cym.controller.UserController#importOver. This vulnerability allows attackers to delete arbitrary files via a crafted POST request.

Impact

An attacker could leverage this vulnerability to delete sensitive files on the vulnerable system, potentially leading to data loss, system instability, or further compromise of the affected host.

Exploitation

There is no evidence that a public proof-of-concept exists. There is no evidence of proof of exploitation at the moment.

Patch

Version 1.8.4 of svnWebUI is available and patches this arbitrary file deletion vulnerability. Upgrade to the latest patched release.

Mitigation

Apply the latest version 1.8.4 or later of svnWebUI which addresses this issue. Review file permissions and perform other hardening steps to restrict access to sensitive areas of the filesystem. Implement input validation to prevent uploading malicious files.

CVSS:3.1/AV:P/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L

Timeline

CVE Assignment

NVD published the first details for CVE-2024-34995

May 24, 2024 at 4:15 PM
First Article

Feedly found the first article mentioning CVE-2024-34995. See article

May 24, 2024 at 4:24 PM / National Vulnerability Database
CVSS Estimate

Feedly estimated the CVSS score as HIGH

May 24, 2024 at 4:24 PM
Trending

This CVE started to trend in security discussions

May 24, 2024 at 7:24 PM
Trending

This CVE stopped trending in security discussions

May 27, 2024 at 4:22 PM
Static CVE Timeline Graph

News

CVE-2024-34995
High Severity Description svnWebUI v1.8.3 was discovered to contain an arbitrary file deletion vulnerability via the dirTemps parameter under com.cym.controller.UserController#importOver. This vulnerability allows attackers to delete arbitrary files via a crafted POST request. Read more at https://www.tenable.com/cve/CVE-2024-34995
CVE-2024-34995
svnWebUI v1.8.3 was discovered to contain an arbitrary file deletion vulnerability via the dirTemps parameter under com.cym.controller.UserController#importOver. This vulnerability allows attackers to delete arbitrary files via a crafted POST request. CVE-2024-34995 originally published on CyberSecurityBoard
CVE-2024-34995 | svnWebUI 1.8.3 com.cym.controller.UserController#importOver dirTemps denial of service
A vulnerability was found in svnWebUI 1.8.3 and classified as problematic . This issue affects some unknown processing of the file com.cym.controller.UserController#importOver . The manipulation of the argument dirTemps leads to denial of service. The identification of this vulnerability is CVE-2024-34995 . The attack can only be done within the local network. There is no exploit available.
CVE-2024-34995
svnWebUI v1.8.3 was discovered to contain an arbitrary file deletion vulnerability via the dirTemps parameter under com.cym.controller.UserController#importOver. This vulnerability allows attackers to delete arbitrary files via a crafted POST...
CVE-2024-34995 - svnWebUI v1.8.3 was discovered to contain an arbit
CVE ID : CVE-2024-34995 Published : May 24, 2024, 4:15 p.m. 17 minutes ago Description : svnWebUI v1.8.3 was discovered to contain an arbitrary file deletion vulnerability via the dirTemps parameter under com.cym.controller.UserController#importOver. This vulnerability allows attackers to delete arbitrary files via a crafted POST request. Severity: 0.0 NA Visit the link for more details, such as CVSS details, affected products, timeline, and more...
See 3 more articles and social media posts

CVSS V3.1

Attack Vector:Physical
Attack Complexity:Low
Privileges Required:None
User Interaction:None
Scope:Unchanged
Confidentiality:Low
Integrity:Low
Availability Impact:Low

Categories

Be the first to know about critical vulnerabilities

Collect, analyze, and share vulnerability reports faster using AI