Exploit
CVE-2024-8865
Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') (CWE-22)
Published: Sep 15, 2024 / Updated: 2mo ago

010

CVSS 5.1EPSS 0.05%Medium

CVE info copied to clipboard

Summary

A vulnerability classified as problematic was discovered in composiohq composio versions up to 0.5.8. The issue affects the function path of the file composio\server\api.py. Manipulation of the argument file can lead to path traversal.

Impact

This vulnerability allows an attacker to potentially access files and directories that are outside of the intended directory structure. This could lead to unauthorized access to sensitive information, system files, or other critical data stored on the server. The confidentiality impact is rated as HIGH, while integrity and availability impacts are rated as NONE.

Exploitation

One proof-of-concept exploit is available on notion.site. There is no evidence of proof of exploitation at the moment.

Patch

As of the latest information provided, no specific patch has been mentioned. The vendor was contacted about this disclosure but did not respond.

Mitigation

1. Upgrade composiohq composio to a version newer than 0.5.8 if available. 2. Implement strong input validation and sanitization for file paths. 3. Use a whitelist of allowed file paths and restrict access to only necessary directories. 4. Implement the principle of least privilege for file system access. 5. Monitor and log file access attempts for suspicious activity. 6. Consider implementing additional security measures such as Web Application Firewalls (WAF) to help detect and prevent path traversal attempts.

CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:N

CVSS:4.0/AV:A/AC:L/AT:N/PR:L/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

Timeline

First Article

Feedly found the first article mentioning CVE-2024-8865. See article

Sep 15, 2024 at 1:12 AM / Vulners.com RSS Feed

CVSS Estimate

Feedly estimated the CVSS score as MEDIUM

Sep 15, 2024 at 1:12 AM

CVE Assignment

NVD published the first details for CVE-2024-8865

Sep 15, 2024 at 1:15 AM

CVSS

A CVSS base score of 3.5 has been assigned.

Sep 15, 2024 at 1:20 AM / nvd

CVSS Estimate

Feedly estimated the CVSS score as HIGH

Sep 15, 2024 at 1:57 AM

EPSS

EPSS Score was set to: 0.05% (Percentile: 16.3%)

Sep 15, 2024 at 12:06 PM

CVSS

A CVSS base score of 4.9 has been assigned.

Sep 17, 2024 at 10:55 AM / nvd

Proof of Concept (PoC) Released

A proof of concept exploit has been released

Sep 17, 2024 at 2:10 PM

CVSS

A CVSS base score of 4.9 has been assigned.

Sep 17, 2024 at 2:10 PM / nvd

Affected Systems

Composio/composio

+null more

Exploits

https://rumbling-slice-eb0.notion.site/There-is-an-arbitrary-file-read-vulnerability-at-api-download-in-composiohq-composio-f0ec1ec26a5f434a97bb1ffde435a35b?pvs=4

+null more