CVE-2024-55415
Published: 30 January 2025
Summary
CVE-2024-55415 is a medium-severity Path Traversal (CWE-22) vulnerability in Thecontrolgroup Voyager. Its CVSS base score is 5.7 (Medium).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked in the top 1.6% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).
Deeper analysis
DevDojo Voyager through version 1.8.0 is affected by a path traversal vulnerability (CWE-22) at the /admin/compass endpoint. The issue carries a CVSS 3.1 score of 5.7, reflecting network attack vector, low complexity, low privileges required, and required user interaction, with high impact limited to confidentiality.
An authenticated attacker with low-privileged access can supply crafted input to the affected compass controller routes, enabling traversal outside intended directories to read arbitrary files on the server. The referenced controller implementation in VoyagerCompassController.php shows the handling logic that permits this traversal without adequate path sanitization.
Public references include source code inspection of the vulnerable controller and a SonarSource analysis detailing multiple Voyager issues, though no official patch or mitigation guidance is provided in the available references. The EPSS score stands at 0.6378 with no indicated rise from a lower baseline.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2025-0173
Vulnerability details
DevDojo Voyager through 1.8.0 is vulnerable to path traversal at the /admin/compass.
- CWE(s)
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Path traversal (CVE-2024-55415) and arbitrary file write (CVE-2024-55417) in Voyager's admin panel and media upload enable exploitation of public-facing web application for RCE via polyglot web shells masquerading as allowed image files, facilitating privilege escalation.
CVEs Like This One
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Implements input validation mechanisms at the /admin/compass endpoint to block path traversal payloads and prevent unauthorized file access.
Remediates the specific path traversal flaw in VoyagerCompassController by applying patches to versions through 1.8.0.
Enforces logical access controls to restrict authenticated users from traversing directories and accessing sensitive files outside intended paths.