CVE-2024-22779
Published: 02 February 2024
Summary
CVE-2024-22779 is a high-severity Path Traversal (CWE-22) vulnerability in Kihron Serverrpexposer. Its CVSS base score is 8.8 (High).
Operationally, ranked in the top 5.7% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
Deeper analysis
CVE-2024-22779 is a directory traversal vulnerability, tracked as CWE-22, that affects Kihron ServerRPExposer versions 1.0.2 and earlier. The flaw resides in the loadServerPack method of ServerResourcePackProviderMixin.java and carries a CVSS 3.1 base score of 8.8.
A remote attacker can exploit the issue over the network without authentication, though user interaction is required, to traverse directories and execute arbitrary code on the affected Minecraft mod instance, resulting in full compromise of confidentiality, integrity, and availability.
Public references point to a fix committed to the upstream repository that addresses the traversal vector; administrators should update ServerRPExposer to a patched release available via Modrinth or the project repository.
The EPSS score reached a peak of 0.1778 before settling at the current value of 0.1325.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2024-20310
Vulnerability details
Directory Traversal vulnerability in Kihron ServerRPExposer v.1.0.2 and before allows a remote attacker to execute arbitrary code via the loadServerPack in ServerResourcePackProviderMixin.java.
- CWE(s)
Related Threats
No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.
Affected Assets
Mitigating Controls
Likely Mitigating Controls AI
Per-CVE control mapping for this CVE has not run yet; the list below is derived from the weakness types (CWEs) cited in the NVD entry.
Validates pathnames and filenames to prevent traversal outside intended directories.