Platform
other
Component
trcore-dvc
Fixed in
6.3.1
CVE-2024-11315 describes a critical Path Traversal vulnerability affecting TRCore DVC versions 6.0 through 6.3. This flaw allows unauthenticated attackers to upload arbitrary files, potentially enabling remote code execution. The vulnerability stems from inadequate file type restrictions during uploads. A patch is available in version 6.3.1.
The impact of CVE-2024-11315 is severe. An attacker can leverage this vulnerability to upload malicious files, such as webshells, to any directory on the system. Successful exploitation grants the attacker the ability to execute arbitrary code with the privileges of the DVC process. This could lead to complete system compromise, data exfiltration, and denial of service. The lack of authentication requirements significantly broadens the attack surface, making it accessible to a wide range of attackers.
CVE-2024-11315 was publicly disclosed on November 18, 2024. The vulnerability's ease of exploitation, combined with its CRITICAL severity, suggests a high probability of exploitation. Currently, no public proof-of-concept (POC) code has been released, but the simplicity of the attack vector makes it likely that such code will emerge. The vulnerability has not yet been added to the CISA KEV catalog.
Exploit Status
EPSS
5.16% (90% percentile)
CISA SSVC
CVSS Vector
The primary mitigation for CVE-2024-11315 is to upgrade TRCore DVC to version 6.3.1 or later, which includes the necessary fix. If immediate upgrading is not possible, consider implementing strict file type validation on the upload endpoint using a web application firewall (WAF) or proxy. Restrict write access to the upload directory to only the DVC process. Monitor upload logs for suspicious file extensions or unusual file names. After upgrading, confirm the fix by attempting to upload a file with a restricted extension (e.g., .php) and verifying that the upload is rejected.
Update TRCore DVC to a version later than 6.3 to fix the path traversal and arbitrary file upload vulnerability. This will prevent arbitrary code execution on the system. Refer to the vendor's website for the latest version and upgrade instructions.
Vulnerability analysis and critical alerts directly to your inbox.
CVE-2024-11315 is a critical vulnerability in TRCore DVC versions 6.0-6.3 that allows attackers to upload arbitrary files, potentially leading to code execution.
You are affected if you are using TRCore DVC versions 6.0, 6.1, 6.2, or 6.3. Upgrade to 6.3.1 or later to mitigate the risk.
Upgrade TRCore DVC to version 6.3.1 or later. As a temporary workaround, implement strict file type validation and restrict write access to the upload directory.
While no active exploitation has been confirmed, the vulnerability's severity and ease of exploitation suggest a high probability of exploitation.
Refer to the official TRCore security advisory for detailed information and updates: [https://trcore.com/security/advisories](https://trcore.com/security/advisories)
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.