CVE-2024-11664
Published: 25 November 2024
Summary
CVE-2024-11664 is a high-severity Path Traversal (CWE-22) vulnerability in Enms Enms. Its CVSS base score is 8.7 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique SSH Authorized Keys (T1098.004); ranked in the top 11.7% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
Deeper analysis
A path traversal vulnerability (CWE-22) rated critical has been identified in eNMS versions up to 4.2. The flaw resides in the multiselect_filtering function within the TGZ File Handler component at eNMS/controller.py and stems from improper input handling that permits directory traversal sequences.
An attacker with low-privileged remote access can supply crafted input to the affected function, enabling arbitrary file read or write operations that compromise confidentiality, integrity, and availability on the server. Public exploit code has been released, and the CVSS 4.0 vector reflects network attack reach with no user interaction required.
The project has published a fix in commit 22b0b443acca740fc83b5544165c1f53eff3f529, available via the referenced pull request; administrators are advised to apply the patch promptly. The associated EPSS score rose from lower values to a peak of 0.0653 before receding to the current 0.0375, indicating a temporary increase in observed exploitation interest after disclosure.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2024-33942
Vulnerability details
A vulnerability, which was classified as critical, has been found in eNMS up to 4.2. Affected by this issue is the function multiselect_filtering of the file eNMS/controller.py of the component TGZ File Handler. The manipulation leads to path traversal. The…
more
attack may be launched remotely. The exploit has been disclosed to the public and may be used. The patch is identified as 22b0b443acca740fc83b5544165c1f53eff3f529. It is recommended to apply a patch to fix this issue.
- CWE(s)
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Path traversal in TGZ file handler enables arbitrary file writes (e.g., SSH authorized keys for persistence, T1098.004) via exploitation of a public-facing web application (T1190).
Affected Assets
Mitigating Controls
Likely Mitigating Controls AI
Per-CVE control mapping for this CVE has not run yet; the list below is derived from the weakness types (CWEs) cited in the NVD entry.
Validates pathnames and filenames to prevent traversal outside intended directories.