CVE-2024-25154 - Vulnerability Details - OpenCVE

Improper URL validation leads to path traversal in FileCatalyst Direct 3.8.8 and earlier allowing an encoded payload to cause the web server to return files located outside of the web root which may lead to data leakage.

No CVSS v4.0

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact Low

Integrity Impact None

Availability Impact None

User Interaction None

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

Key SSVC decision points have not yet been added.

Vendors	Products
Fortra	Filecatalyst Direct

Configuration 1 [-]

cpe:2.3:a:fortra:filecatalyst_direct:*:*:*:*:*:*:*:*

No data.

References

Link	Providers
https://filecatalyst.software/public/filecatalyst/Direct/3.8.9.90/whatsnew_direct.html
https://www.fortra.com/security/advisory/fi-2024-003

History

Tue, 21 Jan 2025 19:30:00 +0000

Type	Values Removed	Values Added
First Time appeared		Fortra Fortra filecatalyst Direct
CPEs		cpe:2.3:a:fortra:filecatalyst_direct::::::::
Vendors & Products		Fortra Fortra filecatalyst Direct

MITRE

Status: PUBLISHED

Assigner: Fortra

Published: 2024-03-13T14:13:56.214Z

Updated: 2024-08-12T18:55:44.054Z

Reserved: 2024-02-06T21:23:57.925Z

Link: CVE-2024-25154

Vulnrichment

Updated: 2024-08-01T23:36:21.762Z

NVD

Status : Analyzed

Published: 2024-03-13T15:15:51.307

Modified: 2025-01-21T19:01:35.060

Link: CVE-2024-25154

Redhat

No data.

{"dataType": "CVE_RECORD", "dataVersion": "5.1", "cveMetadata": {"cveId": "CVE-2024-25154", "assignerOrgId": "df4dee71-de3a-4139-9588-11b62fe6c0ff", "state": "PUBLISHED", "assignerShortName": "Fortra", "dateReserved": "2024-02-06T21:23:57.925Z", "datePublished": "2024-03-13T14:13:56.214Z", "dateUpdated": "2024-08-12T18:55:44.054Z"}, "containers": {"cna": {"affected": [{"defaultStatus": "unaffected", "modules": ["Direct"], "product": "FileCatalyst", "vendor": "Fortra", "versions": [{"lessThan": "3.8.9", "status": "affected", "version": "3.8.6 ", "versionType": "semver"}]}], "descriptions": [{"lang": "en", "supportingMedia": [{"base64": false, "type": "text/html", "value": "Improper URL validation leads to path traversal in FileCatalyst Direct 3.8.8 and earlier allowing an encoded payload to cause the web server to return files located outside of the web root which may lead to data leakage.  "}], "value": "Improper URL validation leads to path traversal in FileCatalyst Direct 3.8.8 and earlier allowing an encoded payload to cause the web server to return files located outside of the web root which may lead to data leakage.\u00a0\u00a0"}], "impacts": [{"capecId": "CAPEC-139", "descriptions": [{"lang": "en", "value": "CAPEC-139 Relative Path Traversal"}]}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 5.3, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N", "version": "3.1"}, "format": "CVSS", "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "problemTypes": [{"descriptions": [{"cweId": "CWE-22", "description": "CWE-22 Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"orgId": "df4dee71-de3a-4139-9588-11b62fe6c0ff", "shortName": "Fortra", "dateUpdated": "2024-03-13T14:13:56.214Z"}, "references": [{"url": "https://www.fortra.com/security/advisory/fi-2024-003"}, {"url": "https://filecatalyst.software/public/filecatalyst/Direct/3.8.9.90/whatsnew_direct.html"}], "solutions": [{"lang": "en", "supportingMedia": [{"base64": false, "type": "text/html", "value": "\n\n<span style=\"background-color: rgb(255, 255, 255);\">Upgrade FileCatalyst to version 3.8.9 or later to remediate the path traversal vulnerability.</span>\n\n<br>"}], "value": "\nUpgrade FileCatalyst to version 3.8.9 or later to remediate the path traversal vulnerability.\n\n\n"}], "source": {"discovery": "UNKNOWN"}, "title": "Path Traversal in FileCatalyst Direct 3.8.8 and Earlier", "x_generator": {"engine": "Vulnogram 0.1.0-dev"}}, "adp": [{"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-01T23:36:21.762Z"}, "title": "CVE Program Container", "references": [{"url": "https://www.fortra.com/security/advisory/fi-2024-003", "tags": ["x_transferred"]}, {"url": "https://filecatalyst.software/public/filecatalyst/Direct/3.8.9.90/whatsnew_direct.html", "tags": ["x_transferred"]}]}, {"affected": [{"vendor": "fortra", "product": "filecatalyst", "cpes": ["cpe:2.3:a:fortra:filecatalyst:*:*:*:*:*:*:*:*"], "defaultStatus": "unaffected", "versions": [{"version": "3.8.6", "status": "affected", "lessThan": "3.8.9", "versionType": "semver"}]}], "metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2024-03-13T20:08:47.135964Z", "id": "CVE-2024-25154", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "total"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2024-08-12T18:55:44.054Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CVE Program Container", "references": [{"url": "https://www.fortra.com/security/advisory/fi-2024-003", "tags": ["x_transferred"]}, {"url": "https://filecatalyst.software/public/filecatalyst/Direct/3.8.9.90/whatsnew_direct.html", "tags": ["x_transferred"]}], "providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-01T23:36:21.762Z"}}, {"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2024-25154", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "total"}], "version": "2.0.3", "timestamp": "2024-03-13T20:08:47.135964Z"}}}], "affected": [{"cpes": ["cpe:2.3:a:fortra:filecatalyst:*:*:*:*:*:*:*:*"], "vendor": "fortra", "product": "filecatalyst", "versions": [{"status": "affected", "version": "3.8.6", "lessThan": "3.8.9", "versionType": "semver"}], "defaultStatus": "unaffected"}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2024-08-12T18:55:32.412Z"}}], "cna": {"title": "Path Traversal in FileCatalyst Direct 3.8.8 and Earlier", "source": {"discovery": "UNKNOWN"}, "impacts": [{"capecId": "CAPEC-139", "descriptions": [{"lang": "en", "value": "CAPEC-139 Relative Path Traversal"}]}], "metrics": [{"format": "CVSS", "cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 5.3, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N", "integrityImpact": "NONE", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "NONE", "confidentialityImpact": "LOW"}, "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "affected": [{"vendor": "Fortra", "modules": ["Direct"], "product": "FileCatalyst", "versions": [{"status": "affected", "version": "3.8.6 ", "lessThan": "3.8.9", "versionType": "semver"}], "defaultStatus": "unaffected"}], "solutions": [{"lang": "en", "value": "\nUpgrade FileCatalyst to version 3.8.9 or later to remediate the path traversal vulnerability.\n\n\n", "supportingMedia": [{"type": "text/html", "value": "\n\n<span style=\"background-color: rgb(255, 255, 255);\">Upgrade FileCatalyst to version 3.8.9 or later to remediate the path traversal vulnerability.</span>\n\n<br>", "base64": false}]}], "references": [{"url": "https://www.fortra.com/security/advisory/fi-2024-003"}, {"url": "https://filecatalyst.software/public/filecatalyst/Direct/3.8.9.90/whatsnew_direct.html"}], "x_generator": {"engine": "Vulnogram 0.1.0-dev"}, "descriptions": [{"lang": "en", "value": "Improper URL validation leads to path traversal in FileCatalyst Direct 3.8.8 and earlier allowing an encoded payload to cause the web server to return files located outside of the web root which may lead to data leakage.\u00a0\u00a0", "supportingMedia": [{"type": "text/html", "value": "Improper URL validation leads to path traversal in FileCatalyst Direct 3.8.8 and earlier allowing an encoded payload to cause the web server to return files located outside of the web root which may lead to data leakage.  ", "base64": false}]}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-22", "description": "CWE-22 Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')"}]}], "providerMetadata": {"orgId": "df4dee71-de3a-4139-9588-11b62fe6c0ff", "shortName": "Fortra", "dateUpdated": "2024-03-13T14:13:56.214Z"}}}, "cveMetadata": {"cveId": "CVE-2024-25154", "state": "PUBLISHED", "dateUpdated": "2024-08-12T18:55:44.054Z", "dateReserved": "2024-02-06T21:23:57.925Z", "assignerOrgId": "df4dee71-de3a-4139-9588-11b62fe6c0ff", "datePublished": "2024-03-13T14:13:56.214Z", "assignerShortName": "Fortra"}, "dataVersion": "5.1"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:fortra:filecatalyst_direct:*:*:*:*:*:*:*:*", "matchCriteriaId": "2EA4E6F4-4EA7-436E-A53C-85FDFBD518C6", "versionEndExcluding": "3.8.9", "versionStartIncluding": "3.0.0", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "Improper URL validation leads to path traversal in FileCatalyst Direct 3.8.8 and earlier allowing an encoded payload to cause the web server to return files located outside of the web root which may lead to data leakage.\u00a0\u00a0"}, {"lang": "es", "value": "Una validaci\u00f3n de URL incorrecta provoca un path traversal en FileCatalyst Direct 3.8.8 y versiones anteriores, lo que permite que un payload codificado haga que el servidor web devuelva archivos ubicados fuera de la ra\u00edz web, lo que puede provocar una fuga de datos."}], "id": "CVE-2024-25154", "lastModified": "2025-01-21T19:01:35.060", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 5.3, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 1.4, "source": "df4dee71-de3a-4139-9588-11b62fe6c0ff", "type": "Secondary"}, {"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 5.3, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 1.4, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2024-03-13T15:15:51.307", "references": [{"source": "df4dee71-de3a-4139-9588-11b62fe6c0ff", "tags": ["Release Notes"], "url": "https://filecatalyst.software/public/filecatalyst/Direct/3.8.9.90/whatsnew_direct.html"}, {"source": "df4dee71-de3a-4139-9588-11b62fe6c0ff", "tags": ["Vendor Advisory"], "url": "https://www.fortra.com/security/advisory/fi-2024-003"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Release Notes"], "url": "https://filecatalyst.software/public/filecatalyst/Direct/3.8.9.90/whatsnew_direct.html"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Vendor Advisory"], "url": "https://www.fortra.com/security/advisory/fi-2024-003"}], "sourceIdentifier": "df4dee71-de3a-4139-9588-11b62fe6c0ff", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-22"}], "source": "df4dee71-de3a-4139-9588-11b62fe6c0ff", "type": "Secondary"}, {"description": [{"lang": "en", "value": "CWE-22"}], "source": "nvd@nist.gov", "type": "Primary"}]}