CVE-2024-6746
Published: 15 July 2024
Summary
CVE-2024-6746 is a medium-severity Path Traversal: '../filedir' (CWE-24) vulnerability in Easyspider Easyspider. Its CVSS base score is 5.3 (Medium).
Operationally, ranked in the top 0.8% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
Deeper analysis
CVE-2024-6746 is a path traversal vulnerability in NaiboWang EasySpider version 0.6.2 on Windows. It resides in the HTTP GET Request Handler within the file EasySpider/resources/app/server.js, where unsanitized input such as /../../../../../../../../../Windows/win.ini can be supplied to traverse directories and access arbitrary files on the host.
An attacker on the local network can exploit the flaw without authentication or user interaction to read sensitive files outside the application's intended scope. The vulnerability has been publicly disclosed, and proof-of-concept details are available, enabling any adjacent adversary to retrieve configuration or system files such as win.ini.
The project maintainer has stated that the issue is limited in impact because the software is intended to run locally without exposure to the Internet. No official patches or configuration changes are referenced in the available advisories.
The associated EPSS score currently stands at 0.81 with a recorded peak of 0.8226, indicating sustained exploitation interest following disclosure.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2024-47783
Vulnerability details
A vulnerability classified as problematic was found in NaiboWang EasySpider 0.6.2 on Windows. Affected by this vulnerability is an unknown functionality of the file \EasySpider\resources\app\server.js of the component HTTP GET Request Handler. The manipulation with the input /../../../../../../../../../Windows/win.ini leads to…
more
path traversal: '../filedir'. The attack needs to be done within the local network. The exploit has been disclosed to the public and may be used. The identifier VDB-271477 was assigned to this vulnerability. NOTE: The code maintainer explains, that this is not a big issue "because the default is that the software runs locally without going through the Internet".
- CWE(s)
Related Threats
No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.
Affected Assets
Mitigating Controls
Likely Mitigating Controls AI
Per-CVE control mapping for this CVE has not run yet; the list below is derived from the weakness types (CWEs) cited in the NVD entry.
Validates pathnames and filenames to prevent traversal outside intended directories.