CVE-2024-24756 – CVE-2024-24756 is a path traversal vulnerabilit... (How to Fix)

Q: What is the severity of CVE-2024-24756?

CVE-2024-24756 has a CVSS score of 7.5 (HIGH). CVE-2024-24756 is a path traversal vulnerability in Crafatar that allows attackers to read files outside the intended public directory. Affected systems include self-hosted Crafatar instances using vulnerable Docker containers, while instances behind Cloudflare or using the crafatar.com service are not affected. The vulnerability allows reading any file within the container filesystem.

📋 TL;DR

CVE-2024-24756 is a path traversal vulnerability in Crafatar that allows attackers to read files outside the intended public directory. Affected systems include self-hosted Crafatar instances using vulnerable Docker containers, while instances behind Cloudflare or using the crafatar.com service are not affected. The vulnerability allows reading any file within the container filesystem.

💻 Affected Systems

Products:

Crafatar

Versions: Versions before 2.1.5

Operating Systems: All

Default Config Vulnerable: ⚠️ Yes

Notes: Only affects self-hosted instances using Docker containers as shown in README. Instances behind Cloudflare (including crafatar.com) are NOT affected.

📦 What is this software?

Crafatar by Crafatar

View all CVEs affecting Crafatar →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Attackers could read sensitive files within the container, potentially exposing configuration files, secrets, or application source code that might contain hardcoded credentials.

🟠

Likely Case

Attackers can read non-confidential application files that are already publicly available in the repository, causing minimal actual damage but demonstrating vulnerability.

🟢

If Mitigated

With proper network segmentation and Cloudflare protection, the vulnerability is effectively neutralized as external attackers cannot reach the vulnerable endpoint.

🌐 Internet-Facing: MEDIUM

🏢 Internal Only: LOW

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: UNKNOWN

Unauthenticated Exploit: ⚠️ Yes

Complexity: LOW

Exploitation requires direct access to vulnerable endpoint. The advisory includes code references showing the vulnerable path handling logic.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 2.1.5

Vendor Advisory: https://github.com/crafatar/crafatar/security/advisories/GHSA-5cxq-25mp-q5f2

Restart Required: Yes

Instructions:

1. Update Crafatar to version 2.1.5 or later. 2. Pull the latest Docker image if using container. 3. Restart the Crafatar service. 4. Verify the fix by checking the version.

🔧 Temporary Workarounds

Deploy behind Cloudflare

all

Place Crafatar instance behind Cloudflare proxy to block direct access to vulnerable endpoint

Network segmentation

linux

Restrict network access to Crafatar instance using firewall rules

iptables -A INPUT -p tcp --dport [CRAFATAR_PORT] -s [ALLOWED_IPS] -j ACCEPT
iptables -A INPUT -p tcp --dport [CRAFATAR_PORT] -j DROP

🧯 If You Can't Patch

Deploy instance behind Cloudflare or reverse proxy with path validation
Implement strict network access controls to limit who can reach the Crafatar service

🔍 How to Verify

Check if Vulnerable:

Check if running Crafatar version earlier than 2.1.5 and accessible without Cloudflare protection

Check Version:

docker exec [container_name] node -e "console.log(require('/app/package.json').version)"

Verify Fix Applied:

Confirm version is 2.1.5 or later and test path traversal attempts return appropriate errors

📡 Detection & Monitoring

Log Indicators:

Unusual file path requests containing '../' sequences
Requests for non-avatar files or files outside expected paths

Network Indicators:

HTTP requests with path traversal sequences (../) to Crafatar endpoints

SIEM Query:

source="crafatar.logs" AND (url="*../*" OR url="*/../*")

📊 Metadata

CVE ID: CVE-2024-24756

CVSS v3 Score: 7.5 (HIGH)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

CWE: CWE-22

Published: February 1, 2024

Last Updated: November 21, 2024

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2024-24756, you might also want to check these: