HIGHCVE-2024-43395CVSS 8.2

CVE-2024-43395: Directory Traversal in CraftOS-PC

Q: What is CVE-2024-43395 — Directory Traversal in CraftOS-PC?

CVE-2024-43395 is a directory traversal vulnerability affecting CraftOS-PC 2 on Windows, allowing attackers to access files without permission by manipulating directory paths.

Q: Am I affected by CVE-2024-43395 in CraftOS-PC?

You are affected if you are using CraftOS-PC 2 on Windows with a version equal to or less than 2.8.2.

Q: How do I fix CVE-2024-43395 in CraftOS-PC?

Upgrade CraftOS-PC 2 to version 2.8.3 or later to patch the vulnerability. Consider stricter file access controls as an interim measure.

Q: Where can I find the official CraftOS-PC advisory for CVE-2024-43395?

Refer to the CraftOS-PC project's official website or GitHub repository for the latest advisory and release notes.

Platform

windows

Component

craftos2

Fixed in

2.8.4

AI Confidence: highNVDEPSS 0.0%Reviewed: May 2026

View on NVD

Save

CVE-2024-43395 describes a directory traversal vulnerability discovered in CraftOS-PC 2, a C++ rewrite of the ComputerCraft desktop port. This flaw allows unauthorized access to files on a Windows system by manipulating directory paths. The vulnerability affects versions of CraftOS-PC 2 up to and including 2.8.2, and a patch is available in version 2.8.3.

Impact and Attack Scenarios

An attacker exploiting this vulnerability could gain access to sensitive files stored on the affected Windows system, including configuration files, user data, and potentially even system binaries. The ability to bypass the internal directory traversal check allows for unrestricted file access, significantly expanding the potential impact. This could lead to data breaches, privilege escalation, or even remote code execution if the accessed files are used in subsequent attacks. The lack of notice or permission required for file access makes this a particularly concerning vulnerability.

Exploitation Context

This vulnerability was publicly disclosed on August 16, 2024. There is currently no indication of active exploitation campaigns targeting CVE-2024-43395, nor is it listed on the CISA KEV catalog. Public proof-of-concept exploits are not yet widely available, but the ease of exploitation suggests they may emerge. The vulnerability's relatively simple nature increases the likelihood of exploitation.

Threat Intelligence

Exploit Status

Proof of ConceptUnknown

CISA KEVNO

Internet ExposureLow

EPSS

0.03% (10% percentile)

CISA SSVC

Exploitationnone

Automatableno

Technical Impacttotal

CVSS Vector

Affected Software

Componentcraftos2

VendorMCJack123

Affected rangeFixed in

< 2.8.3 – < 2.8.32.8.4

Weakness Classification (CWE)

CWE-22

Timeline

Reserved2024-08-12
Published2024-08-16
Modified2024-08-19
EPSS updated2026-04-02

Mitigation and Workarounds

The primary mitigation for CVE-2024-43395 is to upgrade CraftOS-PC 2 to version 2.8.3 or later, which includes a patch for the directory traversal vulnerability. If immediate upgrading is not possible, consider implementing stricter file access controls on the system running CraftOS-PC 2. This could involve limiting the user account running CraftOS-PC 2 to only the necessary files and directories. Monitor system logs for unusual file access patterns that might indicate exploitation attempts. After upgrading, confirm the fix by attempting to access files outside the intended directory using obfuscated '..' sequences; access should be denied.

How to fix

Actualice CraftOS-PC a la versión 2.8.3 o superior. Esta versión contiene una corrección para la vulnerabilidad de escape del sistema de archivos. Descargue la última versión desde el sitio web oficial o desde el repositorio de GitHub.

CVE Security Newsletter

Vulnerability analysis and critical alerts directly to your inbox.

Frequently asked questions

What is CVE-2024-43395 — Directory Traversal in CraftOS-PC?

CVE-2024-43395 is a directory traversal vulnerability affecting CraftOS-PC 2 on Windows, allowing attackers to access files without permission by manipulating directory paths.

Am I affected by CVE-2024-43395 in CraftOS-PC?

You are affected if you are using CraftOS-PC 2 on Windows with a version equal to or less than 2.8.2.

How do I fix CVE-2024-43395 in CraftOS-PC?

Upgrade CraftOS-PC 2 to version 2.8.3 or later to patch the vulnerability. Consider stricter file access controls as an interim measure.

Is CVE-2024-43395 being actively exploited?

There is currently no indication of active exploitation campaigns, but the vulnerability's simplicity suggests potential for future exploitation.

Where can I find the official CraftOS-PC advisory for CVE-2024-43395?

Refer to the CraftOS-PC project's official website or GitHub repository for the latest advisory and release notes.

NextGuard

Vulnerabilities

Is your project affected?

Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.

Scan free

Search CVEs

What do these metrics mean?

Attack Vector: Local — attacker needs a local shell or interactive session on the system.
Attack Complexity: Low — no special conditions required. Attacker can exploit reliably without depending on rare configurations or timing.
Privileges Required: None — unauthenticated. No login or credentials needed to exploit.
User Interaction: Required — victim must take an action: open a file, click a link, or visit a crafted page.
Scope: Changed — successful attack can pivot beyond the vulnerable component to other systems or the host OS.
Confidentiality: High — complete confidentiality loss. Attacker can read all data: credentials, keys, personal data.
Integrity: High — attacker can write, modify, or delete any data: databases, config files, or code.
Availability: None — no availability impact. Service remains fully operational.