Cyber Resilience

CVE-2024-6746

MediumPublic PoC

Published: 15 July 2024

Published
15 July 2024
Modified
21 November 2024
KEV Added
Patch
CVSS Score v4 5.3 CVSS:4.0/AV:A/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
EPSS Score 0.8100 99.2th percentile
Risk Priority 59 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2024-6746 is a medium-severity Path Traversal: '../filedir' (CWE-24) vulnerability in Easyspider Easyspider. Its CVSS base score is 5.3 (Medium).

Operationally, ranked in the top 0.8% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.

Deeper analysis

CVE-2024-6746 is a path traversal vulnerability in NaiboWang EasySpider version 0.6.2 on Windows. It resides in the HTTP GET Request Handler within the file EasySpider/resources/app/server.js, where unsanitized input such as /../../../../../../../../../Windows/win.ini can be supplied to traverse directories and access arbitrary files on the host.

An attacker on the local network can exploit the flaw without authentication or user interaction to read sensitive files outside the application's intended scope. The vulnerability has been publicly disclosed, and proof-of-concept details are available, enabling any adjacent adversary to retrieve configuration or system files such as win.ini.

The project maintainer has stated that the issue is limited in impact because the software is intended to run locally without exposure to the Internet. No official patches or configuration changes are referenced in the available advisories.

The associated EPSS score currently stands at 0.81 with a recorded peak of 0.8226, indicating sustained exploitation interest following disclosure.

EU & UK References

Vulnerability details

A vulnerability classified as problematic was found in NaiboWang EasySpider 0.6.2 on Windows. Affected by this vulnerability is an unknown functionality of the file \EasySpider\resources\app\server.js of the component HTTP GET Request Handler. The manipulation with the input /../../../../../../../../../Windows/win.ini leads to…

more

path traversal: '../filedir'. The attack needs to be done within the local network. The exploit has been disclosed to the public and may be used. The identifier VDB-271477 was assigned to this vulnerability. NOTE: The code maintainer explains, that this is not a big issue "because the default is that the software runs locally without going through the Internet".

CWE(s)

Related Threats

No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.

Affected Assets

easyspider
easyspider
0.6.2

Mitigating Controls

Likely Mitigating Controls AI

Per-CVE control mapping for this CVE has not run yet; the list below is derived from the weakness types (CWEs) cited in the NVD entry.

addresses: CWE-22

Validates pathnames and filenames to prevent traversal outside intended directories.

References