CVE-2024-6049

Path Traversal: '...' (Triple Dot) (CWE-32)

Published: Oct 24, 2024 / Updated: 26d ago

010
CVSS 7.5EPSS 0.04%High
CVE info copied to clipboard

The web server of Lawo AG vsm LTC Time Sync (vTimeSync) is affected by a "..." (triple dot) path traversal vulnerability. By sending a specially crafted HTTP request, an unauthenticated remote attacker could download arbitrary files from the operating system. As a limitation, the exploitation is only possible if the requested file has some file extension, e. g. .exe or .txt.

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

Timeline

First Article

Feedly found the first article mentioning CVE-2024-6049. See article

Oct 24, 2024 at 7:58 AM / CVE - NEW | THREATINT
CVSS Estimate

Feedly estimated the CVSS score as HIGH

Oct 24, 2024 at 7:58 AM
Threat Intelligence Report

CVE-2024-6049 is a critical unauthenticated path traversal vulnerability in the vsm LTC Time Sync (vTimeSync) web interface, allowing remote attackers to download arbitrary files from the system, particularly if the application is running with SYSTEM privileges. A proof-of-concept exploit is available, and the vendor has released a patch in version 4.5.6.0 and later, while versions prior to 4.5 are affected. There are no workarounds mentioned, and the article does not indicate any exploitation in the wild or downstream impacts on other vendors. See article

Oct 24, 2024 at 7:59 AM
CVE Assignment

NVD published the first details for CVE-2024-6049

Oct 24, 2024 at 8:15 AM
CVSS Estimate

Feedly estimated the CVSS score as MEDIUM

Oct 24, 2024 at 11:35 AM
CVSS

A CVSS base score of 7.5 has been assigned.

Oct 24, 2024 at 3:40 PM / nvd
CVSS Estimate

Feedly estimated the CVSS score as HIGH

Oct 25, 2024 at 3:47 AM
EPSS

EPSS Score was set to: 0.04% (Percentile: 9.8%)

Oct 25, 2024 at 10:08 AM
Static CVE Timeline Graph

References

Unauthenticated Path Traversal Vulnerability in Lawo AG vsm LTC Time Sync (vTimeSync)
The vendor provides a patch in versions after v4.5 which can be downloaded from the following URL, such as version 4.5.6.0. To exploit the vulnerability it is sufficient to use the following curl-command to send a request to the vulnerable web server:

News

Vulnerability Summary for the Week of October 21, 2024
High Vulnerabilities Primary Vendor — Product Description Published CVSS Score Source Info Patch Info Admin–Verbalize WP Unrestricted Upload of File with Dangerous Type vulnerability in Admin Verbalize WP Upload a Web Shell to a Web Server.This issue affects Verbalize WP: from n/a through 1.0. 2024-10-23 10 CVE-2024-49668 audit@patchstack.com advancedcoding–Comments wpDiscuz The Comments – wpDiscuz plugin for WordPress is vulnerable to authentication bypass in all versions up to, and including, 7.6.24. This is due to insufficient verification on the user being returned by the social login token. This makes it possible for unauthenticated attackers to log in as any existing user on the site, such as an administrator, if they have access to the email and the user does not have an already-existing account for the service returning the token. 2024-10-25 9.8 CVE-2024-9488 security@wordfence.com security@wordfence.com security@wordfence.com Alexander De Ridder–INK Official Unrestricted Upload of File with Dangerous Type vulnerability in Alexander De Ridder INK Official allows Upload a Web Shell to a Web Server.This issue affects INK Official: from n/a through 4.1.2. 2024-10-23 9.9 CVE-2024-49669 audit@patchstack.com Amazon–Amazon.ApplicationLoadBalancer.Identity.AspNetCore Middleware The Amazon.ApplicationLoadBalancer.Identity.AspNetCore repo https://github.com/awslabs/aws-alb-identity-aspnetcore#validatetokensignature contains Middleware that can be used in conjunction with the Application Load Balancer (ALB) OpenId Connect integration and can be used in any ASP.NET https://dotnet.microsoft.com/apps/aspnet Core deployment scenario, including Fargate, EKS, ECS, EC2, and Lambda. In the JWT handling code, it performs signature validation but fails to validate the JWT issuer and signer identity. The signer omission, if combined with a scenario where the infrastructure owner allows internet traffic to the ALB targets (not a recommended configuration), can allow for JWT signing by an untrusted entity and an actor may be able to mimic valid OIDC-federated sessions to the ALB targets.
Lawo AG vsm LTC Time Sync Path Traversal
Telling vendor, that HTTPS won't fix the problem, describing the security issue again, providing link to OWASP path traversal page, etc. All products are developed in Germany and manufactured according to highest quality standards at the company's headquarters in the Rhine valley town of Rastatt, Germany." Source: https://lawo.com/company/about-us/ Business recommendation: ------------------------ The vendor provides a patch which should be installed immediately.
Lawo AG vsm LTC Time Sync Path Traversal
Telling vendor, that HTTPS won't fix the problem, describing the security issue again, providing link to OWASP path traversal page, etc. All products are developed in Germany and manufactured according to highest quality standards at the company's headquarters in the Rhine valley town of Rastatt, Germany." Source: https://lawo.com/company/about-us/ Business recommendation: ------------------------ The vendor provides a patch which should be installed immediately.
Lawo AG vsm LTC Time Sync Path Traversal
SEC Consult highly recommends to perform a thorough security review of the product SEC Consult Vulnerability Lab
Vulnerability Summary for the Week of October 21, 2024
High Vulnerabilities Primary Vendor -- Product Description Published CVSS Score Source Info Patch Info Admin--Verbalize WP Unrestricted Upload of File with Dangerous Type vulnerability in Admin Verbalize WP Upload a Web Shell to a Web Server.This issue affects Verbalize WP: from n/a through 1.0. 2024-10-23 10 CVE-2024-49668 audit@patchstack.com advancedcoding--Comments wpDiscuz The Comments - wpDiscuz plugin for WordPress is vulnerable to authentication bypass in all versions up to, and including, 7.6.24. This is due to insufficient verification on the user being returned by the social login token. This makes it possible for unauthenticated attackers to log in as any existing user on the site, such as an administrator, if they have access to the email and the user does not have an already-existing account for the service returning the token. 2024-10-25 9.8 CVE-2024-9488 security@wordfence.com security@wordfence.com security@wordfence.com Alexander De Ridder--INK Official Unrestricted Upload of File with Dangerous Type vulnerability in Alexander De Ridder INK Official allows Upload a Web Shell to a Web Server.This issue affects INK Official: from n/a through 4.1.2. 2024-10-23 9.9 CVE-2024-49669 audit@patchstack.com Amazon--Amazon.ApplicationLoadBalancer.Identity.AspNetCore Middleware The Amazon.ApplicationLoadBalancer.Identity.AspNetCore repo https://github.com/awslabs/aws-alb-identity-aspnetcore#validatetokensignature contains Middleware that can be used in conjunction with the Application Load Balancer (ALB) OpenId Connect integration and can be used in any ASP.NET https://dotnet.microsoft.com/apps/aspnet Core deployment scenario, including Fargate, EKS, ECS, EC2, and Lambda. In the JWT handling code, it performs signature validation but fails to validate the JWT issuer and signer identity. The signer omission, if combined with a scenario where the infrastructure owner allows internet traffic to the ALB targets (not a recommended configuration), can allow for JWT signing by an untrusted entity and an actor may be able to mimic valid OIDC-federated sessions to the ALB targets.
See 15 more articles and social media posts

CVSS V3.1

Attack Vector:Network
Attack Complexity:Low
Privileges Required:None
User Interaction:None
Scope:Unchanged
Confidentiality:High
Integrity:None
Availability Impact:None

Categories

Be the first to know about critical vulnerabilities

Collect, analyze, and share vulnerability reports faster using AI