Insecure Direct Object Reference in GNU Savane Affects File Deletion Functionality
CVE-2024-27630

7.5HIGH

Key Information:

Vendor: GNU
Status: Savane
Vendor: CVE Published:; 8 April 2024

Summary

An Insecure Direct Object Reference (IDOR) vulnerability in GNU Savane versions up to 3.12 allows remote attackers to exploit the trackers_data_delete_file function. By sending specially crafted input, an attacker can gain unauthorized access to delete arbitrary files, posing a significant risk to data integrity within the application. The vulnerability highlights the importance of implementing proper access controls to prevent unauthorized file manipulation.

References

https://medium.com/%40allypetitt/how-i-found-3-cves-in-2-...

https://github.com/ally-petitt/CVE-2024-27630

CVSS V3.1

Score:

7.5

Severity:

HIGH

Confidentiality:

High

Integrity:

None

Availability:

High

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

None

User Interaction:

None

Scope:

Unchanged

Timeline

Vulnerability published
Apr 8, 2024
Vulnerability Reserved
Feb 26, 2024