CyberAlerts is shutting down on June 30th, 2025. Thank you for your support!

CVE-2024-23822: Thruk Incorrect limitation of a pathname to a restricted directory (Path Traversal) (CWE-22)

5.4 CVSS

Description

Thruk is a multibackend monitoring webinterface. Prior to 3.12, the Thruk web monitoring application presents a vulnerability in a file upload form that allows a threat actor to arbitrarily upload files to the server to any path they desire and have permissions for. This vulnerability is known as Path Traversal or Directory Traversal. Version 3.12 fixes the issue.

Classification

CVE ID: CVE-2024-23822

CVSS Base Severity: MEDIUM

CVSS Base Score: 5.4

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:L

Problem Types

CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')

Affected Products

Vendor: sni

Product: Thruk

Exploit Prediction Scoring System (EPSS)

EPSS Score: 0.3% (probability of being exploited)

EPSS Percentile: 53.19% (scored less or equal to compared to others)

EPSS Date: 2025-06-17 (when was this score calculated)

Stakeholder-Specific Vulnerability Categorization (SSVC)

SSVC Exploitation: poc

SSVC Technical Impact: partial

SSVC Automatable: false

References

https://nvd.nist.gov/vuln/detail/CVE-2024-23822
https://github.com/sni/Thruk/security/advisories/GHSA-4mrh-mx7x-rqjx
https://github.com/sni/Thruk/commit/1aa9597cdf2722a69651124f68cbb449be12cc39

Timeline

2025-05-29 16:40:15 UTC
CVE

Thruk Incorrect limitation of a pathname to a restricted directory (Path Traversal) (CWE-22)