Cyber Resilience

CVE-2024-6583

MediumPublic PoC

Published: 20 March 2025

Published
20 March 2025
Modified
15 July 2025
KEV Added
Patch
CVSS Score v3 4.3 CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N
EPSS Score 0.0026 49.2th percentile
Risk Priority 9 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2024-6583 is a medium-severity Relative Path Traversal (CWE-23) vulnerability in Quivr Quivr. Its CVSS base score is 4.3 (Medium).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 49.2th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.

EU & UK References

Vulnerability details

A path traversal vulnerability exists in the latest version of stangirard/quivr. This vulnerability allows an attacker to upload files to arbitrary paths in an S3 bucket by manipulating the file path in the upload request.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
T1105 Ingress Tool Transfer Command And Control
Adversaries may transfer tools or other files from an external system into a compromised environment.
T1074.002 Remote Data Staging Collection
Adversaries may stage data collected from multiple systems in a central location or directory on one system prior to Exfiltration.
T1565.001 Stored Data Manipulation Impact
Adversaries may insert, delete, or manipulate data at rest in order to influence external outcomes or hide activity, thus threatening the integrity of the data.
Why these techniques?

Path traversal in upload functionality enables exploitation of public-facing application (T1190) for arbitrary file writes to S3 bucket paths, facilitating tool ingress (T1105), remote staging of data/tools (T1074.002), and manipulation of stored data (T1565.001).

Affected Assets

quivr
quivr
0.0.254

Mitigating Controls

No mitigating controls mapped yet. The per-CVE control annotator has not reached this CVE.

References