Plattform
java
Komponente
com.reposilite:reposilite-backend
Behoben in
3.3.1
3.5.12
CVE-2024-36116 is a Path Traversal vulnerability discovered in Reposilite Backend, specifically within the handling of JavaDoc archives. This flaw allows attackers to upload arbitrary files to the server, potentially leading to code execution and complete system compromise. The vulnerability impacts Reposilite Backend versions 3.5.10 and earlier. A fix is available in version 3.5.12.
The Arbitrary File Upload vulnerability allows an attacker to upload malicious files to the Reposilite server. This could include web shells, backdoors, or other executable code. Successful exploitation could lead to complete server compromise, allowing the attacker to read, modify, or delete sensitive data, execute arbitrary commands, and potentially pivot to other systems on the network. The ability to upload arbitrary files bypasses standard security controls and significantly expands the attack surface. The impact is amplified if Reposilite is deployed in a critical infrastructure environment or handles sensitive data.
CVE-2024-36116 was publicly disclosed on August 2, 2024. There is currently no indication of active exploitation in the wild, but the availability of a public description and the ease of exploitation make it a high-priority vulnerability. The vulnerability's simplicity suggests a potential for rapid exploitation. It is not currently listed on the CISA KEV catalog.
Organizations utilizing Reposilite Backend for managing software repositories are at risk, particularly those running version 3.5.10. Environments where Reposilite is exposed to untrusted networks or where JavaDoc archives are sourced from external, unverified sources are at higher risk. Shared hosting environments using Reposilite are also vulnerable, as a compromised account could potentially exploit this vulnerability.
• linux / server:
journalctl -u reposilite -g "JavadocEndpoints.kt"• generic web:
curl -I http://your-reposilite-server/javadocs/path/to/malicious/file.php• generic web:
grep -r 'JavadocEndpoints.kt' /var/log/apache2/access.logdisclosure
Exploit-Status
EPSS
27.70% (96% Perzentil)
CISA SSVC
CVSS-Vektor
The primary mitigation for CVE-2024-36116 is to immediately upgrade Reposilite Backend to version 3.5.12 or later. If upgrading is not immediately feasible, consider implementing temporary workarounds. Restrict file upload permissions and carefully validate all uploaded files. Implement strict input validation on the Javadoc archive expansion functionality to prevent path traversal attempts. Employ a Web Application Firewall (WAF) with rules to block suspicious file upload requests and patterns. Regularly scan the Reposilite installation for unauthorized files.
Actualice Reposilite a la versión 3.5.12 o superior. Esta versión corrige la vulnerabilidad de path traversal al expandir archivos Javadoc. La actualización evitará la posible sobrescritura de archivos locales y la ejecución remota de código.
Schwachstellenanalysen und kritische Warnungen direkt in deinen Posteingang.
CVE-2024-36116 is a Path Traversal vulnerability in Reposilite Backend versions 3.5.10 and earlier, allowing attackers to upload arbitrary files via manipulated Javadoc archives.
If you are running Reposilite Backend version 3.5.10 or earlier, you are potentially affected by this vulnerability. Upgrade to version 3.5.12 or later to mitigate the risk.
The recommended fix is to upgrade Reposilite Backend to version 3.5.12 or later. Temporary workarounds include restricting file upload permissions and implementing input validation.
As of now, there are no confirmed reports of active exploitation of CVE-2024-36116, but it's crucial to apply the patch promptly.
Refer to the official Reposilite security advisory on their GitHub repository for detailed information and updates: https://github.com/dzikoysk/reposilite/security/advisories/GHSA-xxxx-xxxx-xxxx
Lade deine Abhängigkeitsdatei hoch und erfahre sofort, ob dich diese und andere CVEs treffen.
Lade deine pom.xml-Datei hoch und wir sagen dir sofort, ob du betroffen bist.