{"dataType": "CVE_RECORD", "dataVersion": "5.1", "cveMetadata": {"cveId": "CVE-2024-11311", "assignerOrgId": "cded6c7f-6ce5-4948-8f87-aa7a3bbb6b0e", "state": "PUBLISHED", "assignerShortName": "twcert", "dateReserved": "2024-11-18T01:44:51.777Z", "datePublished": "2024-11-18T06:24:25.095Z", "dateUpdated": "2024-11-18T13:57:51.361Z"}, "containers": {"cna": {"affected": [{"defaultStatus": "unaffected", "product": "DVC", "vendor": "TRCore", "versions": [{"lessThanOrEqual": "6.3", "status": "affected", "version": "6.0", "versionType": "custom"}]}], "datePublic": "2024-11-18T06:08:00.000Z", "descriptions": [{"lang": "en", "supportingMedia": [{"base64": false, "type": "text/html", "value": "The DVC from TRCore has a Path Traversal vulnerability and does not restrict the types of uploaded files. This allows unauthenticated remote attackers to upload arbitrary files to any directory, leading to arbitrary code execution by uploading webshells."}], "value": "The DVC from TRCore has a Path Traversal vulnerability and does not restrict the types of uploaded files. This allows unauthenticated remote attackers to upload arbitrary files to any directory, leading to arbitrary code execution by uploading webshells."}], "impacts": [{"capecId": "CAPEC-650", "descriptions": [{"lang": "en", "value": "CAPEC-650 Upload a Web Shell to a Web Server"}]}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 9.8, "baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1"}, "format": "CVSS", "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "problemTypes": [{"descriptions": [{"cweId": "CWE-23", "description": "CWE-23 Relative Path Traversal", "lang": "en", "type": "CWE"}]}, {"descriptions": [{"cweId": "CWE-434", "description": "CWE-434 Unrestricted Upload of File with Dangerous Type", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"orgId": "cded6c7f-6ce5-4948-8f87-aa7a3bbb6b0e", "shortName": "twcert", "dateUpdated": "2024-11-18T06:24:25.095Z"}, "references": [{"tags": ["third-party-advisory"], "url": "https://www.twcert.org.tw/tw/cp-132-8246-d462a-1.html"}, {"tags": ["third-party-advisory"], "url": "https://www.twcert.org.tw/en/cp-139-8247-83457-2.html"}], "solutions": [{"lang": "en", "supportingMedia": [{"base64": false, "type": "text/html", "value": "Update to version 6.4 or later."}], "value": "Update to version 6.4 or later."}], "source": {"advisory": "TVN-202411018", "discovery": "EXTERNAL"}, "title": "TRCore DVC - Arbitrary File Upload through Path Traversal", "x_generator": {"engine": "Vulnogram 0.2.0"}}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2024-11311", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "yes"}, {"Technical Impact": "total"}], "version": "2.0.3", "timestamp": "2024-11-18T13:46:09.802701Z"}}}], "affected": [{"cpes": ["cpe:2.3:a:trcore:dvc:*:*:*:*:*:*:*:*"], "vendor": "trcore", "product": "dvc", "versions": [{"status": "affected", "version": "6.0", "versionType": "custom", "lessThanOrEqual": "6.3"}], "defaultStatus": "unknown"}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2024-11-18T13:57:51.361Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2024-11311", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "yes"}, {"Technical Impact": "total"}], "version": "2.0.3", "timestamp": "2024-11-18T13:46:09.802701Z"}}}], "affected": [{"cpes": ["cpe:2.3:a:trcore:dvc:*:*:*:*:*:*:*:*"], "vendor": "trcore", "product": "dvc", "versions": [{"status": "affected", "version": "6.0", "versionType": "custom", "lessThanOrEqual": "6.3"}], "defaultStatus": "unknown"}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2024-11-18T13:50:26.798Z"}}], "cna": {"title": "TRCore DVC - Arbitrary File Upload through Path Traversal", "source": {"advisory": "TVN-202411018", "discovery": "EXTERNAL"}, "impacts": [{"capecId": "CAPEC-650", "descriptions": [{"lang": "en", "value": "CAPEC-650 Upload a Web Shell to a Web Server"}]}], "metrics": [{"format": "CVSS", "cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 9.8, "attackVector": "NETWORK", "baseSeverity": "CRITICAL", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "NONE", "confidentialityImpact": "HIGH"}, "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "affected": [{"vendor": "TRCore", "product": "DVC", "versions": [{"status": "affected", "version": "6.0", "versionType": "custom", "lessThanOrEqual": "6.3"}], "defaultStatus": "unaffected"}], "solutions": [{"lang": "en", "value": "Update to version 6.4 or later.", "supportingMedia": [{"type": "text/html", "value": "Update to version 6.4 or later.", "base64": false}]}], "datePublic": "2024-11-18T06:08:00.000Z", "references": [{"url": "https://www.twcert.org.tw/tw/cp-132-8246-d462a-1.html", "tags": ["third-party-advisory"]}, {"url": "https://www.twcert.org.tw/en/cp-139-8247-83457-2.html", "tags": ["third-party-advisory"]}], "x_generator": {"engine": "Vulnogram 0.2.0"}, "descriptions": [{"lang": "en", "value": "The DVC from TRCore has a Path Traversal vulnerability and does not restrict the types of uploaded files. This allows unauthenticated remote attackers to upload arbitrary files to any directory, leading to arbitrary code execution by uploading webshells.", "supportingMedia": [{"type": "text/html", "value": "The DVC from TRCore has a Path Traversal vulnerability and does not restrict the types of uploaded files. This allows unauthenticated remote attackers to upload arbitrary files to any directory, leading to arbitrary code execution by uploading webshells.", "base64": false}]}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-23", "description": "CWE-23 Relative Path Traversal"}]}, {"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-434", "description": "CWE-434 Unrestricted Upload of File with Dangerous Type"}]}], "providerMetadata": {"orgId": "cded6c7f-6ce5-4948-8f87-aa7a3bbb6b0e", "shortName": "twcert", "dateUpdated": "2024-11-18T06:24:25.095Z"}}}, "cveMetadata": {"cveId": "CVE-2024-11311", "state": "PUBLISHED", "dateUpdated": "2024-11-18T13:57:51.361Z", "dateReserved": "2024-11-18T01:44:51.777Z", "assignerOrgId": "cded6c7f-6ce5-4948-8f87-aa7a3bbb6b0e", "datePublished": "2024-11-18T06:24:25.095Z", "assignerShortName": "twcert"}, "dataVersion": "5.1"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:trcore:dvc:*:*:*:*:*:*:*:*", "matchCriteriaId": "FEBC9960-DCCF-4107-9B47-F37CD5F4DAF9", "versionEndExcluding": "6.4", "versionStartIncluding": "6.0", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "The DVC from TRCore has a Path Traversal vulnerability and does not restrict the types of uploaded files. This allows unauthenticated remote attackers to upload arbitrary files to any directory, leading to arbitrary code execution by uploading webshells."}, {"lang": "es", "value": "El DVC de TRCore tiene una vulnerabilidad de Path Traversal y no restringe los tipos de archivos cargados. Esto permite que atacantes remotos no autenticados carguen archivos arbitrarios en cualquier directorio, lo que lleva a la ejecuci\u00f3n de c\u00f3digo arbitrario al cargar webshells."}], "id": "CVE-2024-11311", "lastModified": "2024-11-20T15:17:01.367", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 9.8, "baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 5.9, "source": "twcert@cert.org.tw", "type": "Primary"}]}, "published": "2024-11-18T07:15:13.063", "references": [{"source": "twcert@cert.org.tw", "tags": ["Third Party Advisory"], "url": "https://www.twcert.org.tw/en/cp-139-8247-83457-2.html"}, {"source": "twcert@cert.org.tw", "tags": ["Third Party Advisory"], "url": "https://www.twcert.org.tw/tw/cp-132-8246-d462a-1.html"}], "sourceIdentifier": "twcert@cert.org.tw", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-22"}, {"lang": "en", "value": "CWE-434"}], "source": "nvd@nist.gov", "type": "Primary"}, {"description": [{"lang": "en", "value": "CWE-23"}, {"lang": "en", "value": "CWE-434"}], "source": "twcert@cert.org.tw", "type": "Secondary"}]}

{}