7.5 CVE-2024-11978

An adversary with access to file system resources, either directly or via application logic, will use various file absolute paths and navigation mechanisms such as ".." to extend their range of access to inappropriate areas of the file system. The goal of the adversary is to access directories and files that are intended to be restricted from their access. [Fingerprinting of the operating system] In order to perform a valid path traversal, the adversary needs to know what the underlying OS is so that the proper file seperator is used. [Survey application] Using manual or automated means, an adversary will survey the target application looking for all areas where user input is taken to specify a file name or path. [Attempt variations on input parameters] Using manual or automated means, an adversary attempts varying absolute file paths on all found user input locations and observes the responses. [Access, modify, or execute arbitrary files.] An adversary injects absolute path traversal syntax into identified vulnerable inputs to cause inappropriate reading, writing or execution of files. An adversary could be able to read directories or files which they are normally not allowed to read. The adversary could also access data outside the web document root, or include scripts, source code and other kinds of files from external websites. Once the adversary accesses arbitrary files, they could also modify files. In particular situations, the adversary could also execute arbitrary code or system commands.