CVE-2024-52600 — Statamic CMS has a Path Traversal in Asset Upload

Description

Assets uploaded with appropriately crafted filenames may result in them being placed in a location different than what was configured. ### Impact - Affects front-end forms with `assets` fields. - Affects other places where assets can be uploaded, although users would need upload permissions anyway. - Files can be uploaded so they would be located on the server in a different location, and potentially override existing files. - Traversal _outside_ an asset container was not possible. ### Patches This has been fixed in 5.17.0.

How to fix CVE-2024-52600

To remediate CVE-2024-52600, upgrade the affected package to a fixed version below.

—upgrade to 5.17.0 or later

Is CVE-2024-52600 being exploited?

Low — EPSS is 0.4%, meaning exploitation activity has not been observed at scale.

Affected packages (1)

from 0, < 5.17.0

CVSS scores

Source	Version	Severity	Vector
osv	CVSS 3.1	MEDIUM5.3	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N

References (6)

ADVISORYnvd.nist.gov/vuln/detail/CVE-2024-52600
PATCHgithub.com/statamic/cms
WEBgithub.com/statamic/cms/commit/0c07c10009a2439c8ee56c8faefd1319dc6e388d
WEBgithub.com/statamic/cms/commit/400875b20f40e1343699d536a432a6fc284346da