CRITICAL🇵🇱 Wersja polska

CVE-2024-11314

CVSS 9.8v3.1pub. 2024-11-18upd. 2024-11-20

The DVC from TRCore has a Path Traversal vulnerability and does not restrict the types of uploaded files. This allows unauthenticated remote attackers to upload arbitrary files to any directory, leading to arbitrary code execution by uploading webshells.

🤖 AI Analysis
How it works

The vulnerability results from two related weaknesses: lack of proper path validation (path traversal, CWE-22/CWE-23) and lack of restrictions on uploaded file types (CWE-434). An attacker can send an HTTP request containing a crafted path that bypasses directory protection mechanisms and places a file anywhere in the server's file system. Uploading an executable file (e.g., a PHP/ASP webshell) to a directory accessible by the web server enables subsequent remote execution of system commands.

Impact

An unauthenticated attacker can gain full control over the server by executing arbitrary code (RCE), which threatens the confidentiality, integrity, and availability of the system.

Mitigation & patch

Patches available from the vendor should be applied in accordance with references published by TWCERT (https://www.twcert.org.tw/en/cp-139-8253-bc363-2.html). Until updates are applied, it is recommended to restrict access to the application at the firewall level and disable file upload functionality if possible.

Who is affected

TRCore's DVC product — versions indicated in vendor references (TWCERT).

Analysis generated by Claude AI (Anthropic) based on NVD data. Always verify with vendor.
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
  • Trcore Dvc

    APP
    Trcore
    6.0 – 6.4 (bez)
🔵
CHECK WITH VENDOR
No clear patch data available. Check vendor references.
Tags
RCEPath Traversal
CWE
References

Related vulnerabilities

CVE-2024-11311CRITICAL9.8PL ✓ten sam produkt

Path Traversal i unrestricted file upload w TRCore DVC — RCE bez uwierzytelnienia

CVE-2024-11312CRITICAL9.8PL ✓ten sam produkt

Path Traversal i nieograniczony upload plików w TRCore DVC — RCE

CVE-2024-11313CRITICAL9.8PL ✓ten sam produkt

Path Traversal i nieograniczony upload plików w TRCore DVC umożliwiający RCE

CVE-2024-11315CRITICAL9.8PL ✓ten sam produkt

TRCore DVC — path traversal i unrestricted file upload umożliwiające RCE

CVE-2024-11309HIGH7.5ten sam produkt

The DVC from TRCore has a Path Traversal vulnerability, allowing unauthenticated remote attackers to exploit t...