CVE-2024-55457
Published: 20 February 2025
Summary
CVE-2024-55457 is a medium-severity Path Traversal (CWE-22) vulnerability. Its CVSS base score is 6.5 (Medium).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked in the top 1.1% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 AC-3 (Access Enforcement) and SI-10 (Information Input Validation).
Deeper analysis
MasterSAM Star Gate 11 contains a directory traversal vulnerability, tracked as CVE-2024-55457 and assigned CWE-22, that affects the /adama/adama/downloadService endpoint. An unauthenticated attacker can supply a crafted file parameter to read arbitrary files on the underlying server, resulting in limited disclosure of sensitive information and a CVSS 3.1 base score of 6.5.
Remote attackers with no credentials or user interaction can exploit the flaw over the network to retrieve files outside the intended directory, achieving partial confidentiality and integrity impact without affecting availability.
A public proof-of-concept is available at the referenced GitHub repository. The associated EPSS score has reached a peak of 0.8718 and currently stands at 0.7525, indicating sustained exploitation interest following disclosure.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2025-4569
Vulnerability details
MasterSAM Star Gate 11 is vulnerable to directory traversal via /adama/adama/downloadService. An attacker can exploit this vulnerability by manipulating the file parameter to access arbitrary files on the server, potentially exposing sensitive information.
- CWE(s)
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Directory traversal in public-facing downloadService endpoint directly enables T1190 (Exploit Public-Facing Application) for unauthenticated remote file access; resulting arbitrary file reads facilitate T1005 (Data from Local System).
CVEs Like This One
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Directly validates the manipulated 'file' parameter in requests to the /adama/adama/downloadService endpoint to reject directory traversal sequences like '../'.
Enforces access control policies at the application level to restrict file system access, preventing unauthorized reads of arbitrary sensitive files outside the intended directory.
Deploys boundary protection mechanisms like a web application firewall to monitor and block inbound requests containing path traversal patterns targeting the vulnerable endpoint.