CVE-2024-24765 — Path traversal and user privilege escalation in github.com/IceWhaleTech/CasaOS-U

Description

The UserService API contains a path traversal vulnerability that allows an attacker to obtain any file on the system, including the user database and system configuration. This can lead to privilege escalation and compromise of the system.

How to fix CVE-2024-24765

To remediate CVE-2024-24765, upgrade the affected package to a fixed version below.

—upgrade to 0.4.7 or later
—upgrade to 0.4.7 or later

Is CVE-2024-24765 being exploited?

Low — EPSS is 0.5%, meaning exploitation activity has not been observed at scale.

Affected packages (2)

from 0, < 0.4.7
from 0, < 0.4.7

CVSS scores

Source	Version	Severity	Vector
osv	CVSS 3.1	HIGH7.5	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

References (5)

ADVISORYnvd.nist.gov/vuln/detail/CVE-2024-24765
PATCHgithub.com/IceWhaleTech/CasaOS-UserService
WEBgithub.com/IceWhaleTech/CasaOS-UserService/commit/3f4558e23c0a9958f9a0e20aabc64aa8fd51840e
WEBgithub.com/IceWhaleTech/CasaOS-UserService/releases/tag/v0.4.7