Platform
python
Component
pwndoc
Fixed in
1.0.1
CVE-2024-55602 describes a Path Traversal vulnerability discovered in PwnDoc, a penetration test report generator. This vulnerability allows authenticated users to read arbitrary files on the system by injecting path traversal sequences into the file extension property of templates. The vulnerability affects versions of PwnDoc prior to commit 1d4219c596f4f518798492e48386a20c6e9a2fe6, and a patch is available in that commit.
An attacker exploiting this vulnerability could gain unauthorized access to sensitive files stored on the system where PwnDoc is running. This could include configuration files, source code, or other confidential data. The ability to read arbitrary files significantly expands the potential attack surface, allowing an attacker to gather information for further exploitation or compromise the system's integrity. While authentication is required, the ease of exploitation once authenticated poses a significant risk, especially in environments where user privileges are not strictly controlled.
CVE-2024-55602 was publicly disclosed on December 10, 2024. The vulnerability is not currently listed on the CISA KEV catalog. Public proof-of-concept exploits are not widely available, but the ease of exploitation suggests that it could become a target for opportunistic attackers. The vulnerability's reliance on authentication limits its immediate impact but could be leveraged in environments with compromised user accounts.
Exploit Status
EPSS
0.46% (64% percentile)
CISA SSVC
CVSS Vector
The primary mitigation for CVE-2024-55602 is to upgrade PwnDoc to version 1d4219c596f4f518798492e48386a20c6e9a2fe6, which contains the fix. If upgrading is not immediately possible, restrict access to template update and download functionalities to only trusted users. Implement strict input validation on file extension properties to prevent the injection of path traversal sequences. Consider using a Web Application Firewall (WAF) with rules to detect and block attempts to access files outside of the intended directory. After upgrade, confirm the fix by attempting to upload a template with a path traversal sequence in the file extension and verifying that access is denied.
Actualice PwnDoc a la versión posterior al commit 1d4219c596f4f518798492e48386a20c6e9a2fe6. Esto corrige la vulnerabilidad de path traversal al actualizar y descargar plantillas. La actualización se puede realizar a través del gestor de paquetes de Python o descargando la última versión del repositorio.
Vulnerability analysis and critical alerts directly to your inbox.
CVE-2024-55602 is a Path Traversal vulnerability in PwnDoc versions before 1d4219c596f4f518798492e48386a20c6e9a2fe6, allowing authenticated users to read arbitrary files.
You are affected if you are using PwnDoc versions prior to 1d4219c596f4f518798492e48386a20c6e9a2fe6. Check your version and upgrade immediately.
Upgrade PwnDoc to version 1d4219c596f4f518798492e48386a20c6e9a2fe6. Restrict template access and validate file extensions as a temporary workaround.
While no widespread exploitation has been confirmed, the vulnerability's ease of exploitation suggests it could become a target.
Refer to the PwnDoc project repository and associated security advisories for the latest information.
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.
Upload your requirements.txt file and we'll tell you instantly if you're affected.