Platform
other
Component
trcore-dvc
Opgelost in
6.3.1
CVE-2024-11315 describes a critical Path Traversal vulnerability affecting TRCore DVC versions 6.0 through 6.3. This flaw allows unauthenticated attackers to upload arbitrary files, potentially enabling remote code execution. The vulnerability stems from inadequate file type restrictions during uploads. A patch is available in version 6.3.1.
The impact of CVE-2024-11315 is severe. An attacker can leverage this vulnerability to upload malicious files, such as webshells, to any directory on the system. Successful exploitation grants the attacker the ability to execute arbitrary code with the privileges of the DVC process. This could lead to complete system compromise, data exfiltration, and denial of service. The lack of authentication requirements significantly broadens the attack surface, making it accessible to a wide range of attackers.
CVE-2024-11315 was publicly disclosed on November 18, 2024. The vulnerability's ease of exploitation, combined with its CRITICAL severity, suggests a high probability of exploitation. Currently, no public proof-of-concept (POC) code has been released, but the simplicity of the attack vector makes it likely that such code will emerge. The vulnerability has not yet been added to the CISA KEV catalog.
Organizations utilizing TRCore DVC in environments with limited security controls are particularly at risk. Shared hosting environments where multiple users share the same server are also vulnerable, as an attacker could potentially exploit the vulnerability through another user's account. Legacy deployments using older versions of TRCore DVC are highly susceptible.
• windows / supply-chain:
Get-ChildItem -Path "C:\Program Files\TRCore\DVC\uploads\*" -Filter *.php -Recurse• linux / server:
find /var/www/dvc/uploads/ -name '*.php' -print• generic web: Use a web proxy or browser extension to intercept upload requests and examine the 'Content-Type' header. Look for unexpected or malicious file types. • generic web: Review access logs for requests containing directory traversal sequences (e.g., ../../) in the file path.
disclosure
Exploit Status
EPSS
5.16% (90% percentiel)
CISA SSVC
CVSS-vector
The primary mitigation for CVE-2024-11315 is to upgrade TRCore DVC to version 6.3.1 or later, which includes the necessary fix. If immediate upgrading is not possible, consider implementing strict file type validation on the upload endpoint using a web application firewall (WAF) or proxy. Restrict write access to the upload directory to only the DVC process. Monitor upload logs for suspicious file extensions or unusual file names. After upgrading, confirm the fix by attempting to upload a file with a restricted extension (e.g., .php) and verifying that the upload is rejected.
Werk TRCore DVC bij naar een versie later dan 6.3 om de path traversal en willekeurige bestandsupload kwetsbaarheid te verhelpen. Dit voorkomt willekeurige code-uitvoering op het systeem. Raadpleeg de website van de leverancier voor de nieuwste versie en de update-instructies.
Kwetsbaarheidsanalyses en kritieke waarschuwingen direct in uw inbox.
CVE-2024-11315 is a critical vulnerability in TRCore DVC versions 6.0-6.3 that allows attackers to upload arbitrary files, potentially leading to code execution.
You are affected if you are using TRCore DVC versions 6.0, 6.1, 6.2, or 6.3. Upgrade to 6.3.1 or later to mitigate the risk.
Upgrade TRCore DVC to version 6.3.1 or later. As a temporary workaround, implement strict file type validation and restrict write access to the upload directory.
While no active exploitation has been confirmed, the vulnerability's severity and ease of exploitation suggest a high probability of exploitation.
Refer to the official TRCore security advisory for detailed information and updates: [https://trcore.com/security/advisories](https://trcore.com/security/advisories)
Upload je dependency-bestand en kom direct te weten of deze en andere CVEs jou raken.