CVE-2024-31851
Published: 05 April 2024
Summary
CVE-2024-31851 is a high-severity Path Traversal (CWE-22) vulnerability. Its CVSS base score is 8.6 (High).
Operationally, ranked in the top 0.4% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.
Deeper analysis
A path traversal vulnerability tracked as CVE-2024-31851 affects the Java version of CData Sync prior to 23.4.8843 when the product runs on the embedded Jetty server. The flaw, which carries a CVSS 3.1 score of 8.6 and maps to CWE-22, permits unauthorized access to files outside intended directories.
An unauthenticated remote attacker can exploit the issue over the network with low attack complexity and no user interaction required, resulting in high confidentiality impact together with limited integrity and availability consequences such as reading sensitive configuration or data files and performing restricted operations on the server.
Public references from Tenable detail the path traversal vector but do not expand on specific patch contents or configuration workarounds beyond upgrading to the corrected release. The associated EPSS score has remained steady at 0.8929 with no indicated rise after disclosure.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2024-29721
Vulnerability details
A path traversal vulnerability exists in the Java version of CData Sync < 23.4.8843 when running using the embedded Jetty server, which could allow an unauthenticated remote attacker to gain access to sensitive information and perform limited actions.
- CWE(s)
Related Threats
No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.
Affected Assets
Mitigating Controls
Likely Mitigating Controls AI
Per-CVE control mapping for this CVE has not run yet; the list below is derived from the weakness types (CWEs) cited in the NVD entry.
Validates pathnames and filenames to prevent traversal outside intended directories.