Platform
other
Component
dvc
Fixed in
6.3.1
CVE-2024-11312 describes a critical Path Traversal vulnerability affecting TRCore DVC versions 6.0 through 6.3. This flaw allows unauthenticated attackers to upload arbitrary files, potentially leading to remote code execution. The vulnerability stems from insufficient file type restrictions during uploads. A patch is available in version 6.3.1.
The impact of this vulnerability is severe. An attacker can leverage the Path Traversal flaw to upload malicious files, such as webshells, to any directory on the system. Successful exploitation grants the attacker arbitrary code execution capabilities, effectively compromising the entire system. This could lead to data breaches, system takeover, and further lateral movement within the network. The lack of authentication requirements makes this vulnerability particularly dangerous, as any remote user can attempt exploitation.
This vulnerability was publicly disclosed on November 18, 2024. While no active exploitation campaigns have been confirmed, the CRITICAL CVSS score and ease of exploitation suggest a high probability of exploitation. The lack of authentication requirements significantly increases the attack surface. No KEV listing is currently available.
Exploit Status
EPSS
5.16% (90% percentile)
CISA SSVC
CVSS Vector
The primary mitigation is to immediately upgrade TRCore DVC to version 6.3.1 or later. If upgrading is not immediately feasible, consider implementing temporary workarounds. These include restricting file uploads to only explicitly allowed file types and implementing strict access controls to limit write access to sensitive directories. Web Application Firewalls (WAFs) can be configured to block suspicious file upload attempts. Monitor DVC logs for unusual file upload activity and implement intrusion detection signatures to identify potential exploitation attempts.
Update to a version later than 6.3 of DVC. This will fix the path traversal vulnerability and the lack of restriction on uploaded file types. See the release notes for more details about the update.
Vulnerability analysis and critical alerts directly to your inbox.
CVE-2024-11312 is a critical vulnerability in TRCore DVC versions 6.0-6.3 that allows unauthenticated attackers to upload arbitrary files, potentially leading to code execution.
If you are using TRCore DVC versions 6.0, 6.1, 6.2, or 6.3, you are potentially affected by this vulnerability. Upgrade to 6.3.1 or later to mitigate the risk.
The recommended fix is to upgrade to TRCore DVC version 6.3.1 or a later version that addresses this vulnerability. If upgrading is not possible, implement temporary workarounds like restricting file uploads and access controls.
While no active exploitation campaigns have been confirmed, the CRITICAL severity and ease of exploitation suggest a high probability of exploitation.
Refer to the official TRCore security advisory for detailed information and updates regarding CVE-2024-11312.
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.