A path traversal vulnerability was discovered in the Java versions of multiple CData products when using the embedded Jetty server, allowing remote attackers to potentially access sensitive information and perform limited actions on the system.
The vulnerability arises from the interplay between how the embedded Jetty server and CData servlets handle incoming requests, creating a path traversal issue where an attacker can manipulate the path to access unintended directories on the system.
An attacker can exploit a path traversal vulnerability in CData Sync versions before 23.4.8843, which stems from unintended Jetty behavior when processing servlet mappings and security constraints in the web.xml file.
Jetty’s handling of backslashes (\) in URIs differs from other servers, allowing attackers to bypass restrictions, while the lack of proper session checks on certain endpoints makes it possible to perform unauthorized actions after exploiting the path traversal.
Trustifi’s Advanced threat protection prevents the widest spectrum of sophisticated attacks before they reach a user’s mailbox. Stopping 99% of phishing attacks missed by other email security solutions. .
CData API Server versions prior to 23.4.8844 for Java with the embedded Jetty server are vulnerable to a path traversal attack (CVE-2024-31848), which allows unauthenticated remote attackers to exploit improper path validation to access arbitrary files on the system.
It could potentially grant complete administrative control of the application, as the Common Vulnerability Scoring System (CVSS) assigns a score of 9.8, reflecting the critical severity of this exploit.
CData Connect, a Java application running on the embedded Jetty server prior to version 23.4.8846, is vulnerable to a critical path traversal attack (CVE-2024-31849).
The weakness allows unauthenticated, remote attackers to exploit the application’s directory traversal functionality to gain complete administrative access.
With a CVSS base score of 9.8, vulnerability poses a serious risk and immediate patching is recommended.
When using the embedded Jetty server, CData Arc, a Java application with versions prior to 23.4.8839, is vulnerable to a path traversal attack that a remote, unauthenticated attacker can use to access sensitive data and potentially carry out limited actions on the system.
According to Tenable, the attacker can manipulate the path to access files outside the intended directory structure, expose sensitive data, or allow unauthorized modifications. Z
CData Sync, a data integration software, is vulnerable to a path traversal attack (CVE-2024-31851) when using the embedded Jetty server in its Java version prior to 23.4.8843.
A remote, unauthenticated attacker could take advantage of this flaw to access sensitive data and potentially carry out limited actions on the system.
The Common Vulnerability Scoring System (CVSS) assigns a base score of 8.6 to this vulnerability, reflecting its high severity.
The security vulnerability was found in CData products, where accessing “/src/getSettings.rsb” could expose sensitive data, which was disclosed to CData on March 4th, 2024, and acknowledged two days later, while CData released updates to address this vulnerability on March 25th, 2024, and a public advisory was published on April 5th, 2024.
Secure your emails in a heartbeat! Take Trustifi free 30-second assessment and get matched with your ideal email security vendor - Try Here
A very important message from the Norwegian National Cyber Security Centre (NCSC) says that Secure Socket Layer/Transport Layer Security (SSL/TLS)…
Linux is widely used in numerous servers, cloud infrastructure, and Internet of Things devices, which makes it an attractive target…
ViperSoftX malware, known for stealing cryptocurrency information, now leverages Tesseract, an open-source OCR engine, to target infected systems, which extracts…
Santander has confirmed that there was a major data breach that affected its workers and customers in Spain, Uruguay, and…
The U.S. government has offered a prize of up to $5 million for information that leads to the arrest and…
Russia leverages a mix of state-backed Advanced Persistent Threat (APT) groups and financially motivated cybercriminals to achieve its strategic goals,…