File Name or Extension of Externally-Supplied File Vulnerabilities
CVE-2024-38432

9.8CRITICAL

Key Information:

Vendor: Matrix
Status: Tafnit V8
Vendor: CVE Published:; 30 July 2024

What is CVE-2024-38432?

A file injection vulnerability exists in Matrix Tafnit, specifically in version 8. This vulnerability arises from an over-reliance on the file name or extension of externally-supplied files. When malicious files are uploaded with misleading file names or extensions, the application may process them without the necessary validation, potentially leading to unauthorized actions or exposure of sensitive information. Organizations utilizing Matrix Tafnit are advised to review their file handling procedures and implement strict validation to mitigate the associated risks.

Affected Version(s)

Tafnit v8 All versions < 8.4.202

References

https://www.gov.il/en/Departments/faq/cve_advisories

CVSS V3.1

Score:

9.8

Severity:

CRITICAL

Confidentiality:

High

Integrity:

High

Availability:

High

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

None

User Interaction:

None

Scope:

Unchanged

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Jul 30, 2024
Vulnerability Reserved
Jun 16, 2024

Credit

Gad Abuhatziera, Nimrod Bickels, Itay Cherdman - Sophtix Security LTD