Lucene search

GitHub_MCVELIST:CVE-2024-23822

HistoryJan 29, 2024 - 3:46 p.m.

CVE-2024-23822 Thruk Incorrect limitation of a pathname to a restricted directory (Path Traversal) (CWE-22)

2024-01-2915:46:30

CWE-22

GitHub_M

www.cve.org

thruk

web monitoring

arbitrary file uploads

restricted directories

path traversal

cwe-22

5.4 Medium

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

LOW

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

NONE

Integrity Impact

LOW

Availability Impact

LOW

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:L

9.7 High

AI Score

Confidence

High

0.001 Low

EPSS

Percentile

40.8%

JSON

Thruk is a multibackend monitoring webinterface. Prior to 3.12, the Thruk web monitoring application presents a vulnerability in a file upload form that allows a threat actor to arbitrarily upload files to the server to any path they desire and have permissions for. This vulnerability is known as Path Traversal or Directory Traversal. Version 3.12 fixes the issue.

CNA Affected

[
  {
    "vendor": "sni",
    "product": "Thruk",
    "versions": [
      {
        "version": "< 3.12",
        "status": "affected"
      }
    ]
  }
]

References

github.com/sni/Thruk/commit/1aa9597cdf2722a69651124f68cbb449be12cc39

github.com/sni/Thruk/security/advisories/GHSA-4mrh-mx7x-rqjx

5.4 Medium

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

LOW

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

NONE

Integrity Impact

LOW

Availability Impact

LOW

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:L

9.7 High

AI Score

Confidence

High

0.001 Low

EPSS

Percentile

40.8%

JSON

Related for CVELIST:CVE-2024-23822