Cyber Resilience

CVE-2024-22779

HighPublic PoC

Published: 02 February 2024

Published
02 February 2024
Modified
21 November 2024
KEV Added
Patch
CVSS Score v3.1 8.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
EPSS Score 0.1325 94.3th percentile
Risk Priority 26 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2024-22779 is a high-severity Path Traversal (CWE-22) vulnerability in Kihron Serverrpexposer. Its CVSS base score is 8.8 (High).

Operationally, ranked in the top 5.7% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.

Deeper analysis

CVE-2024-22779 is a directory traversal vulnerability, tracked as CWE-22, that affects Kihron ServerRPExposer versions 1.0.2 and earlier. The flaw resides in the loadServerPack method of ServerResourcePackProviderMixin.java and carries a CVSS 3.1 base score of 8.8.

A remote attacker can exploit the issue over the network without authentication, though user interaction is required, to traverse directories and execute arbitrary code on the affected Minecraft mod instance, resulting in full compromise of confidentiality, integrity, and availability.

Public references point to a fix committed to the upstream repository that addresses the traversal vector; administrators should update ServerRPExposer to a patched release available via Modrinth or the project repository.

The EPSS score reached a peak of 0.1778 before settling at the current value of 0.1325.

EU & UK References

Vulnerability details

Directory Traversal vulnerability in Kihron ServerRPExposer v.1.0.2 and before allows a remote attacker to execute arbitrary code via the loadServerPack in ServerResourcePackProviderMixin.java.

CWE(s)

Related Threats

No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.

Affected Assets

kihron
serverrpexposer
≤ 1.0.2

Mitigating Controls

Likely Mitigating Controls AI

Per-CVE control mapping for this CVE has not run yet; the list below is derived from the weakness types (CWEs) cited in the NVD entry.

addresses: CWE-22

Validates pathnames and filenames to prevent traversal outside intended directories.

References