CVE-2024-53982
8.7
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N
Summary
ZOO-Project is a C-based WPS (Web Processing Service) implementation. A path traversal vulnerability was discovered in Zoo-Project Echo example. The Echo example available by default in Zoo installs implements file caching, which can be controlled by user-given parameters. No input validation is performed in this parameter, which allows an attacker to fully control the file which is returned in the response. Patch was committed in November 22nd, 2024.
Affected Software
| Vendor | Product | Version Range | Status |
|---|---|---|---|
| ZOO-Project | ZOO-Project | < 641cb18fec58de43a3468f314e5f8808c560e6d9 | affected |
Weaknesses
- CWE-434: CWE-434: Unrestricted Upload of File with Dangerous Type
ADP Enrichment
CISA ADP Vulnrichment
- SSVC:
- Exploitation: none
- Automatable: yes
- Technical Impact: partial
References
- https://github.com/ZOO-Project/ZOO-Project/security/advisories/GHSA-93rv-45r8-h5j4
- https://github.com/ZOO-Project/ZOO-Project/commit/641cb18fec58de43a3468f314e5f8808c560e6d9
Feedback
Was this page helpful?
Glad to hear it! Please tell us how we can improve.
Sorry to hear that. Please tell us how we can improve.