CVE-2024-24756

Crafatar serves Minecraft avatars based on the skin for use in external applications. Files outside of the `lib/public/` directory can be requested from the server. Instances running behind Cloudflare (including crafatar.com) are not affected. Instances using the Docker container as shown in the README are affected, but only files within the container can be read. By default, all of the files within the container can also be found in this repository and are not confidential. This vulnerability is patched in 2.1.5.
Configurations

Configuration 1 (hide)

cpe:2.3:a:crafatar:crafatar:*:*:*:*:*:*:*:*

History

09 Feb 2024, 19:47

Type Values Removed Values Added
References () https://github.com/crafatar/crafatar/blob/e0233f2899a3206a817d2dd3b80da83d51c7a726/lib/server.js#L64-L67 - () https://github.com/crafatar/crafatar/blob/e0233f2899a3206a817d2dd3b80da83d51c7a726/lib/server.js#L64-L67 - Product
References () https://github.com/crafatar/crafatar/commit/bba004acc725b362a5d2d5dfe30cf60e7365a373 - () https://github.com/crafatar/crafatar/commit/bba004acc725b362a5d2d5dfe30cf60e7365a373 - Patch
References () https://github.com/crafatar/crafatar/security/advisories/GHSA-5cxq-25mp-q5f2 - () https://github.com/crafatar/crafatar/security/advisories/GHSA-5cxq-25mp-q5f2 - Exploit, Vendor Advisory
CWE CWE-22
First Time Crafatar crafatar
Crafatar
CVSS v2 : unknown
v3 : unknown
v2 : unknown
v3 : 7.5
CPE cpe:2.3:a:crafatar:crafatar:*:*:*:*:*:*:*:*

01 Feb 2024, 23:15

Type Values Removed Values Added
New CVE

Information

Published : 2024-02-01 23:15

Updated : 2024-02-28 20:54


NVD link : CVE-2024-24756

Mitre link : CVE-2024-24756

CVE.ORG link : CVE-2024-24756


JSON object : View

Products Affected

crafatar

  • crafatar
CWE
CWE-22

Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')