CVE-2024-53582
Published: 31 January 2025
Summary
CVE-2024-53582 is a high-severity Path Traversal (CWE-22) vulnerability in Openpanel Openpanel. Its CVSS base score is 7.5 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked in the top 7.7% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
The strongest mitigations our analysis identified are NIST 800-53 AC-3 (Access Enforcement) and SI-10 (Information Input Validation).
Deeper analysis
CVE-2024-53582 is a path traversal vulnerability (CWE-22) affecting the Copy and View functions in the File Manager component of OpenPanel version 0.3.4. The flaw allows an attacker to supply a crafted HTTP request that traverses directories outside the intended scope, resulting in unauthorized file access. It received a CVSS 3.1 score of 7.5 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N).
Unauthenticated remote attackers can exploit the issue over the network without credentials or user interaction. Successful exploitation grants read access to arbitrary files on the underlying system, exposing sensitive configuration data, source code, or other confidential information stored on the server.
The official OpenPanel changelog for version 0.3.5 lists security fixes that address the directory traversal vectors in the File Manager. Administrators are advised to upgrade from 0.3.4 to 0.3.5 or later. A proof-of-concept exploit demonstrating the attack has been published on Packet Storm. The associated EPSS score has remained flat at 0.0810 with no material increase observed since disclosure.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2024-51999
Vulnerability details
An issue found in the Copy and View functions in the File Manager component of OpenPanel v0.3.4 allows attackers to execute a directory traversal via a crafted HTTP request.
- CWE(s)
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Directory traversal in internet-facing File Manager component directly enables remote unauthenticated file read via crafted requests, mapping to exploitation of public-facing applications.
CVEs Like This One
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Validates HTTP request parameters in Copy and View functions to block directory traversal sequences like '../'.
Enforces logical access controls to restrict file reads to authorized directories only, preventing unauthorized access via traversal.
Remediates the specific directory traversal flaw by identifying, testing, and applying patches such as OpenPanel v0.3.5.