CVE-2024-25154 - Vulnerability Details - OpenCVE

Description

Improper URL validation leads to path traversal in FileCatalyst Direct 3.8.8 and earlier allowing an encoded payload to cause the web server to return files located outside of the web root which may lead to data leakage.

Published: 2024-03-13

Score: 5.3 Medium

EPSS: < 1% Very Low

KEV: No

Impact:

Action:

Analysis

No analysis available yet.

Default status is the baseline for the product, each version can override it (e.g. patched versions marked unaffected).

Vendor Product Default status Versions

Fortra

FileCatalyst

unaffected

Version	Status	Constraints
`3.8.6`	affected	< 3.8.9

Configuration 1 [-]

cpe:2.3:a:fortra:filecatalyst_direct:*:*:*:*:*:*:*:*

No data.

No data available yet.

Remediation

Vendor Solution

Upgrade FileCatalyst to version 3.8.9 or later to remediate the path traversal vulnerability.

Tracking

Sign in to view the affected projects.

Advisories

Source	ID	Title
EUVD	EUVD-2024-22492	Improper URL validation leads to path traversal in FileCatalyst Direct 3.8.8 and earlier allowing an encoded payload to cause the web server to return files located outside of the web root which may lead to data leakage.

No CVSS v4.0

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact Low

Integrity Impact None

Availability Impact None

User Interaction None

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

The EPSS score is 0.00293.

Key SSVC decision points have not yet been added.

References

Link	Providers
https://filecatalyst.software/public/filecatalyst/Direct/3.8.9.90/whatsnew_direct.html
https://www.fortra.com/security/advisory/fi-2024-003

History

Tue, 21 Jan 2025 19:30:00 +0000

Type	Values Removed	Values Added
First Time appeared		Fortra Fortra filecatalyst Direct
CPEs		cpe:2.3:a:fortra:filecatalyst_direct::::::::
Vendors & Products		Fortra Fortra filecatalyst Direct

Subscriptions

Fortra Filecatalyst Direct

MITRE

Status: PUBLISHED

Assigner: Fortra

Published: 2024-03-13T14:13:56.214Z

Updated: 2024-08-12T18:55:44.054Z

Reserved: 2024-02-06T21:23:57.925Z

Link: CVE-2024-25154

Vulnrichment

Updated: 2024-08-01T23:36:21.762Z

NVD

Status : Analyzed

Published: 2024-03-13T15:15:51.307

Modified: 2025-01-21T19:01:35.060

Link: CVE-2024-25154

Redhat

No data.

OpenCVE Enrichment

No data.

Weaknesses

CWE-22

{"dataType": "CVE_RECORD", "dataVersion": "5.1", "cveMetadata": {"cveId": "CVE-2024-25154", "assignerOrgId": "df4dee71-de3a-4139-9588-11b62fe6c0ff", "state": "PUBLISHED", "assignerShortName": "Fortra", "dateReserved": "2024-02-06T21:23:57.925Z", "datePublished": "2024-03-13T14:13:56.214Z", "dateUpdated": "2024-08-12T18:55:44.054Z"}, "containers": {"cna": {"affected": [{"defaultStatus": "unaffected", "modules": ["Direct"], "product": "FileCatalyst", "vendor": "Fortra", "versions": [{"lessThan": "3.8.9", "status": "affected", "version": "3.8.6 ", "versionType": "semver"}]}], "descriptions": [{"lang": "en", "supportingMedia": [{"base64": false, "type": "text/html", "value": "Improper URL validation leads to path traversal in FileCatalyst Direct 3.8.8 and earlier allowing an encoded payload to cause the web server to return files located outside of the web root which may lead to data leakage.  "}], "value": "Improper URL validation leads to path traversal in FileCatalyst Direct 3.8.8 and earlier allowing an encoded payload to cause the web server to return files located outside of the web root which may lead to data leakage.\u00a0\u00a0"}], "impacts": [{"capecId": "CAPEC-139", "descriptions": [{"lang": "en", "value": "CAPEC-139 Relative Path Traversal"}]}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 5.3, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N", "version": "3.1"}, "format": "CVSS", "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "problemTypes": [{"descriptions": [{"cweId": "CWE-22", "description": "CWE-22 Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"orgId": "df4dee71-de3a-4139-9588-11b62fe6c0ff", "shortName": "Fortra", "dateUpdated": "2024-03-13T14:13:56.214Z"}, "references": [{"url": "https://www.fortra.com/security/advisory/fi-2024-003"}, {"url": "https://filecatalyst.software/public/filecatalyst/Direct/3.8.9.90/whatsnew_direct.html"}], "solutions": [{"lang": "en", "supportingMedia": [{"base64": false, "type": "text/html", "value": "\n\n<span style=\"background-color: rgb(255, 255, 255);\">Upgrade FileCatalyst to version 3.8.9 or later to remediate the path traversal vulnerability.</span>\n\n<br>"}], "value": "\nUpgrade FileCatalyst to version 3.8.9 or later to remediate the path traversal vulnerability.\n\n\n"}], "source": {"discovery": "UNKNOWN"}, "title": "Path Traversal in FileCatalyst Direct 3.8.8 and Earlier", "x_generator": {"engine": "Vulnogram 0.1.0-dev"}}, "adp": [{"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-01T23:36:21.762Z"}, "title": "CVE Program Container", "references": [{"url": "https://www.fortra.com/security/advisory/fi-2024-003", "tags": ["x_transferred"]}, {"url": "https://filecatalyst.software/public/filecatalyst/Direct/3.8.9.90/whatsnew_direct.html", "tags": ["x_transferred"]}]}, {"affected": [{"vendor": "fortra", "product": "filecatalyst", "cpes": ["cpe:2.3:a:fortra:filecatalyst:*:*:*:*:*:*:*:*"], "defaultStatus": "unaffected", "versions": [{"version": "3.8.6", "status": "affected", "lessThan": "3.8.9", "versionType": "semver"}]}], "metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2024-03-13T20:08:47.135964Z", "id": "CVE-2024-25154", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "total"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2024-08-12T18:55:44.054Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CVE Program Container", "references": [{"url": "https://www.fortra.com/security/advisory/fi-2024-003", "tags": ["x_transferred"]}, {"url": "https://filecatalyst.software/public/filecatalyst/Direct/3.8.9.90/whatsnew_direct.html", "tags": ["x_transferred"]}], "providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-01T23:36:21.762Z"}}, {"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2024-25154", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "total"}], "version": "2.0.3", "timestamp": "2024-03-13T20:08:47.135964Z"}}}], "affected": [{"cpes": ["cpe:2.3:a:fortra:filecatalyst:*:*:*:*:*:*:*:*"], "vendor": "fortra", "product": "filecatalyst", "versions": [{"status": "affected", "version": "3.8.6", "lessThan": "3.8.9", "versionType": "semver"}], "defaultStatus": "unaffected"}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2024-08-12T18:55:32.412Z"}}], "cna": {"title": "Path Traversal in FileCatalyst Direct 3.8.8 and Earlier", "source": {"discovery": "UNKNOWN"}, "impacts": [{"capecId": "CAPEC-139", "descriptions": [{"lang": "en", "value": "CAPEC-139 Relative Path Traversal"}]}], "metrics": [{"format": "CVSS", "cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 5.3, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N", "integrityImpact": "NONE", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "NONE", "confidentialityImpact": "LOW"}, "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "affected": [{"vendor": "Fortra", "modules": ["Direct"], "product": "FileCatalyst", "versions": [{"status": "affected", "version": "3.8.6 ", "lessThan": "3.8.9", "versionType": "semver"}], "defaultStatus": "unaffected"}], "solutions": [{"lang": "en", "value": "\nUpgrade FileCatalyst to version 3.8.9 or later to remediate the path traversal vulnerability.\n\n\n", "supportingMedia": [{"type": "text/html", "value": "\n\n<span style=\"background-color: rgb(255, 255, 255);\">Upgrade FileCatalyst to version 3.8.9 or later to remediate the path traversal vulnerability.</span>\n\n<br>", "base64": false}]}], "references": [{"url": "https://www.fortra.com/security/advisory/fi-2024-003"}, {"url": "https://filecatalyst.software/public/filecatalyst/Direct/3.8.9.90/whatsnew_direct.html"}], "x_generator": {"engine": "Vulnogram 0.1.0-dev"}, "descriptions": [{"lang": "en", "value": "Improper URL validation leads to path traversal in FileCatalyst Direct 3.8.8 and earlier allowing an encoded payload to cause the web server to return files located outside of the web root which may lead to data leakage.\u00a0\u00a0", "supportingMedia": [{"type": "text/html", "value": "Improper URL validation leads to path traversal in FileCatalyst Direct 3.8.8 and earlier allowing an encoded payload to cause the web server to return files located outside of the web root which may lead to data leakage.  ", "base64": false}]}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-22", "description": "CWE-22 Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')"}]}], "providerMetadata": {"orgId": "df4dee71-de3a-4139-9588-11b62fe6c0ff", "shortName": "Fortra", "dateUpdated": "2024-03-13T14:13:56.214Z"}}}, "cveMetadata": {"cveId": "CVE-2024-25154", "state": "PUBLISHED", "dateUpdated": "2024-08-12T18:55:44.054Z", "dateReserved": "2024-02-06T21:23:57.925Z", "assignerOrgId": "df4dee71-de3a-4139-9588-11b62fe6c0ff", "datePublished": "2024-03-13T14:13:56.214Z", "assignerShortName": "Fortra"}, "dataVersion": "5.1"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:fortra:filecatalyst_direct:*:*:*:*:*:*:*:*", "matchCriteriaId": "2EA4E6F4-4EA7-436E-A53C-85FDFBD518C6", "versionEndExcluding": "3.8.9", "versionStartIncluding": "3.0.0", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "Improper URL validation leads to path traversal in FileCatalyst Direct 3.8.8 and earlier allowing an encoded payload to cause the web server to return files located outside of the web root which may lead to data leakage.\u00a0\u00a0"}, {"lang": "es", "value": "Una validaci\u00f3n de URL incorrecta provoca un path traversal en FileCatalyst Direct 3.8.8 y versiones anteriores, lo que permite que un payload codificado haga que el servidor web devuelva archivos ubicados fuera de la ra\u00edz web, lo que puede provocar una fuga de datos."}], "id": "CVE-2024-25154", "lastModified": "2025-01-21T19:01:35.060", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 5.3, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 1.4, "source": "df4dee71-de3a-4139-9588-11b62fe6c0ff", "type": "Secondary"}, {"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 5.3, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 1.4, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2024-03-13T15:15:51.307", "references": [{"source": "df4dee71-de3a-4139-9588-11b62fe6c0ff", "tags": ["Release Notes"], "url": "https://filecatalyst.software/public/filecatalyst/Direct/3.8.9.90/whatsnew_direct.html"}, {"source": "df4dee71-de3a-4139-9588-11b62fe6c0ff", "tags": ["Vendor Advisory"], "url": "https://www.fortra.com/security/advisory/fi-2024-003"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Release Notes"], "url": "https://filecatalyst.software/public/filecatalyst/Direct/3.8.9.90/whatsnew_direct.html"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Vendor Advisory"], "url": "https://www.fortra.com/security/advisory/fi-2024-003"}], "sourceIdentifier": "df4dee71-de3a-4139-9588-11b62fe6c0ff", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-22"}], "source": "df4dee71-de3a-4139-9588-11b62fe6c0ff", "type": "Secondary"}, {"description": [{"lang": "en", "value": "CWE-22"}], "source": "nvd@nist.gov", "type": "Primary"}]}