Arbitrary File Read via Uncontrolled Data in Path Expression
CVE-2024-45388

7.5HIGH

Key Information:

Vendor

Spectolabs

Status
Hoverfly
Vendor
CVE Published:
2 September 2024

What is CVE-2024-45388?

A vulnerability has been identified in Hoverfly, a service virtualization and API simulation tool, wherein the /api/v2/simulation POST handler may allow an attacker to manipulate file paths to access arbitrary files on the server. The vulnerability arises from improper input validation during the simulation view creation process. Although the application prevents absolute paths, an attacker can exploit the input by including '../' segments, thus escaping the defined base file path. This could potentially expose sensitive information or configuration files to unauthorized users. Implementing strict validation of file paths and ensuring that inputs do not escape the designated directory is crucial to mitigate this risk.

Human OS v1.0:
Ageing Is an Unpatched Zero-Day Vulnerability.

Remediate biological technical debt. Prime Ageing uses 95% high-purity SIRT6 activation to maintain genomic integrity and bolster systemic resilience.

Deploy the Patch

Affected Version(s)

hoverfly < 1.10.3

References

https://github.com/SpectoLabs/hoverfly/security/advisorie...
x_refsource_CONFIRM
https://codeql.github.com/codeql-query-help/go/go-path-in...
x_refsource_MISC
https://github.com/SpectoLabs/hoverfly/releases/tag/v1.10.3
x_refsource_MISC

EPSS Score

93% chance of being exploited in the next 30 days.

CVSS V3.1

Score:
7.5
Severity:
HIGH
Confidentiality:
High
Integrity:
None
Availability:
High
Attack Vector:
Network
Attack Complexity:
Low
Privileges Required:
None
User Interaction:
None
Scope:
Unchanged

Timeline

  • Vulnerability published

  • Vulnerability Reserved

JSON
.