Platform
python
Component
mss
Fixed in
5.0.1
CVE-2024-25123 describes a path manipulation vulnerability discovered in the Mission Support System (MSS), an open-source package for planning atmospheric research flights. This flaw allows attackers to potentially access sensitive information by manipulating file paths within the index.py file. The vulnerability affects versions 5.0.0 through 8.3.2, and a fix is available in version 8.3.3.
The vulnerability lies in the _file method within index.py, where the filename route parameter is used to construct file paths without proper sanitization. An attacker can inject path traversal sequences (e.g., ../) into the filename parameter, effectively bypassing intended access controls. This allows them to read arbitrary files accessible to the application's user, potentially exposing sensitive configuration data, source code, or other confidential information. The potential impact includes unauthorized data disclosure and, depending on the files accessible, could lead to further compromise of the system.
This vulnerability was publicly disclosed on 2024-02-15. There are currently no known public exploits or active campaigns targeting this specific vulnerability. Its inclusion in the NVD suggests a moderate level of attention from security researchers. The vulnerability's reliance on path manipulation makes it relatively straightforward to exploit, but the specific context of the Mission Support System's deployment may limit its immediate exploitability.
Exploit Status
EPSS
0.22% (44% percentile)
CVSS Vector
The primary mitigation for CVE-2024-25123 is to upgrade to version 8.3.3 of the Mission Support System. This version includes a fix that properly sanitizes the filename parameter, preventing path traversal attacks. If upgrading is not immediately feasible, consider implementing input validation on the filename parameter at the application level to reject any input containing path traversal sequences. Additionally, restrict file access permissions to the minimum necessary to limit the potential impact of a successful attack. After upgrading, confirm the fix by attempting to access files outside the intended directory using a crafted filename parameter.
Actualice el paquete MSS a la versión 8.3.3 o superior. Esto corrige la vulnerabilidad de manipulación de ruta. Puede actualizar usando `pip install --upgrade mss`.
Vulnerability analysis and critical alerts directly to your inbox.
CVE-2024-25123 is a HIGH severity vulnerability affecting Mission Support System versions 5.0.0 through 8.3.2. It allows attackers to manipulate file paths to access sensitive information.
You are affected if you are using Mission Support System versions 5.0.0 through 8.3.2. Upgrade to version 8.3.3 to resolve the vulnerability.
Upgrade to version 8.3.3 of Mission Support System. As a temporary workaround, implement input validation on the filename parameter to prevent path traversal.
There are currently no known public exploits or active campaigns targeting CVE-2024-25123, but its ease of exploitation warrants attention.
Refer to the official Mission Support System project repository and associated security advisories for the latest information on CVE-2024-25123.
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.
Upload your requirements.txt file and we'll tell you instantly if you're affected.