Vulnerability in CDG 5 Allows Path Traversal and Remote Code Execution
CVE-2024-10379

7.5HIGH

Key Information:

Vendor
Esafenet
Status
Cdg
Vendor
CVE Published:
25 October 2024

Badges

πŸ‘Ύ Exploit Exists🟑 Public PoC

Summary

A path traversal vulnerability exists in ESAFENET CDG 5 within the function actionViewDecyptFile located in /com/esafenet/servlet/client/DecryptApplicationService.java. This vulnerability is exploited through manipulation of the argument decryptFileId, enabling an attacker to traverse directories and potentially access sensitive files on the server. A key coding error is present due to a typo, with the function name 'actionViewDecyptFile' missing an 'R'. Exploits for this vulnerability have been publicly disclosed, creating a significant risk for affected systems. Despite early notification to ESAFENET, no response has been recorded, leaving users exposed to potential threats.

Affected Version(s)

CDG 5

Exploit Proof of Concept (PoC)

PoC code is written by security researchers to demonstrate the vulnerability can be exploited. PoC code is also a key component for weaponization which could lead to ransomware.

CVE-2024-10379 - Proof of Concept

References

https://vuldb.com/?id.281809
vdb-entrytechnical-description
https://vuldb.com/?ctiid.281809
signaturepermissions-required
https://vuldb.com/?submit.426087
third-party-advisory

CVSS V3.1

Score:
7.5
Severity:
HIGH
Confidentiality:
High
Integrity:
None
Availability:
High
Attack Vector:
Network
Attack Complexity:
Low
Privileges Required:
None
User Interaction:
None
Scope:
Unchanged

Timeline

  • 🟑

    Public PoC available

  • πŸ‘Ύ

    Exploit known to exist

  • Vulnerability published

  • Vulnerability Reserved

Collectors

NVD DatabaseMitre Database1 Proof of Concept(s)

Credit

0menc (VulDB User)
.