CRITICAL🇵🇱 Wersja polska

CVE-2024-11312

CVSS 9.8v3.1pub. 2024-11-18upd. 2024-11-20

The DVC from TRCore has a Path Traversal vulnerability and does not restrict the types of uploaded files. This allows unauthenticated remote attackers to upload arbitrary files to any directory, leading to arbitrary code execution by uploading webshells.

🤖 AI Analysis
How it works

The lack of authentication required for file uploads combined with the absence of file extension or type validation allows an attacker to upload any file (e.g., webshell). The path traversal vulnerability enables placing this file outside the default upload directory — including locations accessible by the web server. After uploading the file, the attacker can invoke it through a browser or HTTP request, thereby achieving code execution on the server side.

Impact

An unauthenticated attacker can gain full control over the server by executing arbitrary code (RCE), as well as read, modify, or delete data on the server.

Mitigation & patch

Apply patches available from the vendor according to references published by TWCERT (https://www.twcert.org.tw/en/cp-139-8249-65252-2.html). Until updates are applied, it is recommended to restrict network access to the application and block unauthorized traffic at the firewall level.

Who is affected

TRCore DVC product — specific versions indicated in vendor references (TWCERT).

Analysis generated by Claude AI (Anthropic) based on NVD data. Always verify with vendor.
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
  • Trcore Dvc

    APP
    Trcore
    6.0 – 6.4 (bez)
🔵
CHECK WITH VENDOR
No clear patch data available. Check vendor references.
Tags
RCEPath Traversal
CWE
References

Related vulnerabilities

CVE-2024-11311CRITICAL9.8PL ✓ten sam produkt

Path Traversal i unrestricted file upload w TRCore DVC — RCE bez uwierzytelnienia

CVE-2024-11313CRITICAL9.8PL ✓ten sam produkt

Path Traversal i nieograniczony upload plików w TRCore DVC umożliwiający RCE

CVE-2024-11314CRITICAL9.8PL ✓ten sam produkt

TRCore DVC — Path Traversal i nieograniczony upload plików prowadzący do RCE

CVE-2024-11315CRITICAL9.8PL ✓ten sam produkt

TRCore DVC — path traversal i unrestricted file upload umożliwiające RCE

CVE-2024-11309HIGH7.5ten sam produkt

The DVC from TRCore has a Path Traversal vulnerability, allowing unauthenticated remote attackers to exploit t...