CRITICAL🇵🇱 Wersja polska

CVE-2024-11311

CVSS 9.8v3.1pub. 2024-11-18upd. 2024-11-20

The DVC from TRCore has a Path Traversal vulnerability and does not restrict the types of uploaded files. This allows unauthenticated remote attackers to upload arbitrary files to any directory, leading to arbitrary code execution by uploading webshells.

🤖 AI Analysis
How it works

An unauthenticated attacker can upload a file of any type to the application by exploiting the lack of validation of file extensions or content. Using the Path Traversal vulnerability (CWE-22/CWE-23), they can specify a target directory outside the intended application area. After placing a webshell in an appropriate location, the attacker gains the ability to execute system commands through HTTP requests.

Impact

An attacker can gain full control of the server by executing arbitrary code (RCE) — the confidentiality, integrity, and availability of the system are compromised. The consequences may include server takeover, data exfiltration, or lateral movement within the network.

Mitigation & patch

Apply patches available from the vendor in accordance with references published by TWCERT (https://www.twcert.org.tw/en/cp-139-8247-83457-2.html). As a temporary workaround, consider restricting access to file upload functionality at the firewall or WAF level and blocking unauthenticated requests to upload endpoints.

Who is affected

TRCore DVC product — specific versions indicated in vendor references (TWCERT).

Analysis generated by Claude AI (Anthropic) based on NVD data. Always verify with vendor.
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
  • Trcore Dvc

    APP
    Trcore
    6.0 – 6.4 (bez)
🔵
CHECK WITH VENDOR
No clear patch data available. Check vendor references.
Tags
RCEPath Traversal
CWE
References

Related vulnerabilities

CVE-2024-11312CRITICAL9.8PL ✓ten sam produkt

Path Traversal i nieograniczony upload plików w TRCore DVC — RCE

CVE-2024-11313CRITICAL9.8PL ✓ten sam produkt

Path Traversal i nieograniczony upload plików w TRCore DVC umożliwiający RCE

CVE-2024-11314CRITICAL9.8PL ✓ten sam produkt

TRCore DVC — Path Traversal i nieograniczony upload plików prowadzący do RCE

CVE-2024-11315CRITICAL9.8PL ✓ten sam produkt

TRCore DVC — path traversal i unrestricted file upload umożliwiające RCE

CVE-2024-11309HIGH7.5ten sam produkt

The DVC from TRCore has a Path Traversal vulnerability, allowing unauthenticated remote attackers to exploit t...