CRITICAL🇵🇱 Wersja polska

CVE-2024-11313

CVSS 9.8v3.1pub. 2024-11-18upd. 2024-11-20

The DVC from TRCore has a Path Traversal vulnerability and does not restrict the types of uploaded files. This allows unauthenticated remote attackers to upload arbitrary files to any directory, leading to arbitrary code execution by uploading webshells.

🤖 AI Analysis
How it works

The vulnerability results from two independent weaknesses: lack of proper path validation for uploaded files (Path Traversal, CWE-22/CWE-23) and lack of restrictions on uploaded file types (CWE-434). An attacker, without needing authentication, can construct a request to upload a webshell file to any directory accessible on the server. After placing the webshell in a directory accessible by the web server, the attacker gains the ability to execute arbitrary system commands.

Impact

An attacker can gain full control of the system by executing arbitrary code (RCE) from the application server account level, which threatens the confidentiality, integrity, and availability of the entire system.

Mitigation & patch

Patches available from the vendor should be applied in accordance with references published by TWCERT (https://www.twcert.org.tw/en/cp-139-8251-3455e-2.html). Until updates are applied, it is recommended to restrict access to the file upload interface at the firewall or network level and disable anonymous file submission capabilities.

Who is affected

TRCore's DVC product — specific versions indicated in vendor references (TWCERT)

Analysis generated by Claude AI (Anthropic) based on NVD data. Always verify with vendor.
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
  • Trcore Dvc

    APP
    Trcore
    6.0 – 6.4 (bez)
🔵
CHECK WITH VENDOR
No clear patch data available. Check vendor references.
Tags
RCEPath Traversal
CWE
References

Related vulnerabilities

CVE-2024-11311CRITICAL9.8PL ✓ten sam produkt

Path Traversal i unrestricted file upload w TRCore DVC — RCE bez uwierzytelnienia

CVE-2024-11312CRITICAL9.8PL ✓ten sam produkt

Path Traversal i nieograniczony upload plików w TRCore DVC — RCE

CVE-2024-11314CRITICAL9.8PL ✓ten sam produkt

TRCore DVC — Path Traversal i nieograniczony upload plików prowadzący do RCE

CVE-2024-11315CRITICAL9.8PL ✓ten sam produkt

TRCore DVC — path traversal i unrestricted file upload umożliwiające RCE

CVE-2024-11309HIGH7.5ten sam produkt

The DVC from TRCore has a Path Traversal vulnerability, allowing unauthenticated remote attackers to exploit t...