प्लेटफ़ॉर्म
python
घटक
pwndoc
में ठीक किया गया
1.0.1
CVE-2024-55602 describes a Path Traversal vulnerability discovered in PwnDoc, a penetration test report generator. This vulnerability allows authenticated users to read arbitrary files on the system by injecting path traversal sequences into the file extension property of templates. The vulnerability affects versions of PwnDoc prior to commit 1d4219c596f4f518798492e48386a20c6e9a2fe6, and a patch is available in that commit.
An attacker exploiting this vulnerability could gain unauthorized access to sensitive files stored on the system where PwnDoc is running. This could include configuration files, source code, or other confidential data. The ability to read arbitrary files significantly expands the potential attack surface, allowing an attacker to gather information for further exploitation or compromise the system's integrity. While authentication is required, the ease of exploitation once authenticated poses a significant risk, especially in environments where user privileges are not strictly controlled.
CVE-2024-55602 was publicly disclosed on December 10, 2024. The vulnerability is not currently listed on the CISA KEV catalog. Public proof-of-concept exploits are not widely available, but the ease of exploitation suggests that it could become a target for opportunistic attackers. The vulnerability's reliance on authentication limits its immediate impact but could be leveraged in environments with compromised user accounts.
Organizations using PwnDoc for penetration testing and report generation are at risk, particularly those with less stringent access controls. Shared hosting environments where multiple users have access to PwnDoc templates are especially vulnerable, as a compromised user account could be used to exploit this vulnerability.
• python: Monitor PwnDoc logs for unusual file access attempts, especially those involving ../ sequences. Use Python's os.path.abspath() function to sanitize file paths before processing them.
import os
filepath = os.path.abspath(user_supplied_path)
if not filepath.startswith(base_directory):
# Reject the path
print("Invalid path")• generic web: Examine web server access logs for requests containing path traversal patterns (e.g., ../../).
• generic web: Check for unusual file extensions being uploaded or accessed through PwnDoc's interface.
disclosure
एक्सप्लॉइट स्थिति
EPSS
0.46% (64% शतमक)
CISA SSVC
CVSS वेक्टर
The primary mitigation for CVE-2024-55602 is to upgrade PwnDoc to version 1d4219c596f4f518798492e48386a20c6e9a2fe6, which contains the fix. If upgrading is not immediately possible, restrict access to template update and download functionalities to only trusted users. Implement strict input validation on file extension properties to prevent the injection of path traversal sequences. Consider using a Web Application Firewall (WAF) with rules to detect and block attempts to access files outside of the intended directory. After upgrade, confirm the fix by attempting to upload a template with a path traversal sequence in the file extension and verifying that access is denied.
Actualice PwnDoc a la versión posterior al commit 1d4219c596f4f518798492e48386a20c6e9a2fe6. Esto corrige la vulnerabilidad de path traversal al actualizar y descargar plantillas. La actualización se puede realizar a través del gestor de paquetes de Python o descargando la última versión del repositorio.
भेद्यता विश्लेषण और गंभीर अलर्ट सीधे आपके ईमेल में।
CVE-2024-55602 is a Path Traversal vulnerability in PwnDoc versions before 1d4219c596f4f518798492e48386a20c6e9a2fe6, allowing authenticated users to read arbitrary files.
You are affected if you are using PwnDoc versions prior to 1d4219c596f4f518798492e48386a20c6e9a2fe6. Check your version and upgrade immediately.
Upgrade PwnDoc to version 1d4219c596f4f518798492e48386a20c6e9a2fe6. Restrict template access and validate file extensions as a temporary workaround.
While no widespread exploitation has been confirmed, the vulnerability's ease of exploitation suggests it could become a target.
Refer to the PwnDoc project repository and associated security advisories for the latest information.
अपनी डिपेंडेंसी फ़ाइल अपलोड करें और तुरंत जानें कि यह CVE और अन्य आपको प्रभावित करती हैं या नहीं।
अपनी requirements.txt फ़ाइल अपलोड करें और तुरंत जानें कि आप प्रभावित हैं या नहीं।