CRITICAL🇵🇱 Wersja polska

CVE-2024-11315

CVSS 9.8v3.1pub. 2024-11-18upd. 2024-11-20

The DVC from TRCore has a Path Traversal vulnerability and does not restrict the types of uploaded files. This allows unauthenticated remote attackers to upload arbitrary files to any directory, leading to arbitrary code execution by uploading webshells.

🤖 AI Analysis
How it works

The vulnerability results from two related weaknesses: lack of proper path validation during file uploads (path traversal, CWE-22/CWE-23) and lack of restrictions on accepted file types (CWE-434). An unauthenticated attacker can send an HTTP request containing a malicious file (e.g., PHP/ASP webshell) with a manipulated target path. Through path traversal, the file is placed outside the intended directory — directly into a location accessible by the web server. After placing the webshell on the server, the attacker can invoke it through a browser and execute arbitrary system commands.

Impact

An attacker gains the ability to execute arbitrary code on the server (RCE) with the privileges of the web server process, which may result in complete system takeover, data theft, and further lateral movement in the network.

Mitigation & patch

Apply patches available from the vendor in accordance with references published by TWCERT/CC (https://www.twcert.org.tw/en/cp-139-8255-0bb1a-2.html). Until updates are applied, consider disabling file upload functionality or restricting application access exclusively to trusted networks.

Who is affected

TRCore's DVC product — specific versions indicated in vendor references (TWCERT/CC).

Analysis generated by Claude AI (Anthropic) based on NVD data. Always verify with vendor.
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
  • Trcore Dvc

    APP
    Trcore
    6.0 – 6.4 (bez)
🔵
CHECK WITH VENDOR
No clear patch data available. Check vendor references.
Tags
RCEPath Traversal
CWE
References

Related vulnerabilities

CVE-2024-11311CRITICAL9.8PL ✓ten sam produkt

Path Traversal i unrestricted file upload w TRCore DVC — RCE bez uwierzytelnienia

CVE-2024-11312CRITICAL9.8PL ✓ten sam produkt

Path Traversal i nieograniczony upload plików w TRCore DVC — RCE

CVE-2024-11313CRITICAL9.8PL ✓ten sam produkt

Path Traversal i nieograniczony upload plików w TRCore DVC umożliwiający RCE

CVE-2024-11314CRITICAL9.8PL ✓ten sam produkt

TRCore DVC — Path Traversal i nieograniczony upload plików prowadzący do RCE

CVE-2024-11309HIGH7.5ten sam produkt

The DVC from TRCore has a Path Traversal vulnerability, allowing unauthenticated remote attackers to exploit t...