CVE-2024-9301

Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') (CWE-22)

Published: Sep 27, 2024 / Updated: 53d ago

010
CVSS 8.7EPSS 0.04%High
CVE info copied to clipboard

Summary

A path traversal issue exists in E2Nest prior to commit 8a41948e553c89c56b14410c6ed395e9cfb9250a. This vulnerability allows an attacker to access files and directories stored outside the web root folder. The vulnerability affects E2Nest versions up to, but not including, the version released on 2024-09-05.

Impact

This vulnerability has a high severity with a CVSS v4 base score of 8.7. It allows attackers to potentially read sensitive files on the server, leading to unauthorized access to confidential information. The attack vector is network-based, requires low complexity, and can be executed without user interaction or privileges, making it relatively easy to exploit. While the vulnerability only affects the confidentiality of the system (rated as HIGH), leaving integrity and availability unaffected, it still poses a significant risk due to the potential exposure of sensitive data.

Exploitation

There is no evidence that a public proof-of-concept exists. There is no evidence of proof of exploitation at the moment.

Patch

A patch is available. The vulnerability has been fixed in commit 8a41948e553c89c56b14410c6ed395e9cfb9250a of E2Nest. Users should update to a version of E2Nest that includes this commit or a later version.

Mitigation

1. Priority should be given to updating E2Nest to the version that includes commit 8a41948e553c89c56b14410c6ed395e9cfb9250a or later. 2. If immediate patching is not possible, implement strict input validation and sanitization for all user-supplied input that could be used in file system operations. 3. Deploy a web application firewall (WAF) to help detect and block path traversal attempts. 4. Apply the principle of least privilege for file system access. 5. Regularly audit and monitor file system access logs for any suspicious activities. 6. Ensure that all instances of E2Nest in the environment are identified and included in the patching process.

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

Timeline

CVE Assignment

NVD published the first details for CVE-2024-9301

Sep 27, 2024 at 6:15 PM
CVSS

A CVSS base score of 8.7 has been assigned.

Sep 27, 2024 at 6:20 PM / nvd
First Article

Feedly found the first article mentioning CVE-2024-9301. See article

Sep 27, 2024 at 6:22 PM / National Vulnerability Database
CVSS Estimate

Feedly estimated the CVSS score as HIGH

Sep 27, 2024 at 6:32 PM
EPSS

EPSS Score was set to: 0.04% (Percentile: 11.1%)

Sep 28, 2024 at 9:21 AM
CVSS

A CVSS base score of 7.5 has been assigned.

Oct 7, 2024 at 1:15 PM / nvd
Threat Intelligence Report

CVE-2024-9301 is a critical Local File Inclusion (LFI) vulnerability in E2nest that arises from improper handling of model path traversal. The details regarding its exploitation in the wild, proof-of-concept exploits, mitigations, detections, patches, or downstream impacts on third-party vendors are not provided in the available information. Further investigation is necessary to assess the full scope and implications of this vulnerability. See article

Nov 4, 2024 at 3:08 AM
Static CVE Timeline Graph

Affected Systems

Netflix/e2nest
+null more

Patches

github.com
+null more

Attack Patterns

CAPEC-126: Path Traversal
+null more

Be the first to know about critical vulnerabilities

Collect, analyze, and share vulnerability reports faster using AI