CVE-2024-24765 – CVE-2024-24765 is a path traversal vulnerabilit... (How to Fix)

Q: What is the severity of CVE-2024-24765?

CVE-2024-24765 has a CVSS score of 7.5 (HIGH). CVE-2024-24765 is a path traversal vulnerability in CasaOS-UserService that allows unauthorized file access due to insufficient URL filtering for avatar images. Attackers can read arbitrary files on the system, potentially accessing sensitive data like user databases. This affects CasaOS installations using CasaOS-UserService versions before 0.4.7.

📋 TL;DR

CVE-2024-24765 is a path traversal vulnerability in CasaOS-UserService that allows unauthorized file access due to insufficient URL filtering for avatar images. Attackers can read arbitrary files on the system, potentially accessing sensitive data like user databases. This affects CasaOS installations using CasaOS-UserService versions before 0.4.7.

💻 Affected Systems

Products:

CasaOS-UserService

Versions: All versions before 0.4.7

Operating Systems: Linux (any distribution running CasaOS)

Default Config Vulnerable: ⚠️ Yes

Notes: Affects all CasaOS installations using the vulnerable CasaOS-UserService component. CasaOS itself may be affected if using the vulnerable service.

📦 What is this software?

Casaos by Icewhale

View all CVEs affecting Casaos →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Attackers gain root privileges by reading sensitive system files, compromising the entire CasaOS installation and potentially the underlying host system.

🟠

Likely Case

Unauthorized access to CasaOS user database and configuration files, leading to credential theft and privilege escalation within CasaOS.

🟢

If Mitigated

Limited to reading non-critical files if proper file permissions and network segmentation are implemented.

🌐 Internet-Facing: HIGH - If CasaOS is exposed to the internet, attackers can exploit this without authentication to access sensitive files.

🏢 Internal Only: MEDIUM - Internal attackers or compromised internal systems could exploit this to escalate privileges within the network.

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: LIKELY

Unauthenticated Exploit: ⚠️ Yes

Complexity: LOW

The vulnerability requires no authentication and involves simple path traversal techniques. While no public PoC exists, exploitation is straightforward based on the advisory.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 0.4.7

Vendor Advisory: https://github.com/IceWhaleTech/CasaOS-UserService/security/advisories/GHSA-h5gf-cmm8-cg7c

Restart Required: Yes

Instructions:

1. Update CasaOS-UserService to version 0.4.7 or later. 2. Restart the CasaOS-UserService. 3. Verify the service is running the patched version.

🔧 Temporary Workarounds

Network Access Restriction

linux

Restrict network access to CasaOS-UserService to trusted IPs only

sudo ufw allow from TRUSTED_IP to any port CASAOS_PORT
sudo ufw deny CASAOS_PORT

File Permission Hardening

linux

Set strict permissions on sensitive files to limit damage if exploited

sudo chmod 600 /path/to/sensitive/files
sudo chown root:root /path/to/sensitive/files

🧯 If You Can't Patch

Isolate CasaOS instance from internet and restrict to internal network only
Implement strict file system permissions and monitor for unauthorized file access attempts

🔍 How to Verify

Check if Vulnerable:

Check CasaOS-UserService version: if version < 0.4.7, system is vulnerable

Check Version:

Check CasaOS-UserService logs or configuration for version information, or run: systemctl status casaos-userservice | grep version

Verify Fix Applied:

Confirm CasaOS-UserService version is 0.4.7 or higher and test that path traversal attempts to access system files are blocked

📡 Detection & Monitoring

Log Indicators:

Unusual file access patterns in CasaOS-UserService logs
Multiple failed or successful attempts to access files outside avatar directory

Network Indicators:

HTTP requests with path traversal sequences (../) to CasaOS-UserService avatar endpoints

SIEM Query:

source="casaos-userservice" AND (url="*../*" OR status=200 AND url!="*/avatar/*")

📊 Metadata

CVE ID: CVE-2024-24765

CVSS v3 Score: 7.5 (HIGH)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

CWE: CWE-200

Published: March 6, 2024

Last Updated: February 26, 2025

🔗 References

https://github.com/IceWhaleTech/CasaOS-UserService/commit/3f4558e23c0a9958f9a0e20aabc64aa8fd51840e Patch
https://github.com/IceWhaleTech/CasaOS-UserService/releases/tag/v0.4.7 Release Notes
https://github.com/IceWhaleTech/CasaOS-UserService/security/advisories/GHSA-h5gf-cmm8-cg7c Exploit,Vendor Advisory
https://github.com/IceWhaleTech/CasaOS-UserService/commit/3f4558e23c0a9958f9a0e20aabc64aa8fd51840e Patch
https://github.com/IceWhaleTech/CasaOS-UserService/releases/tag/v0.4.7 Release Notes
https://github.com/IceWhaleTech/CasaOS-UserService/security/advisories/GHSA-h5gf-cmm8-cg7c Exploit,Vendor Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2024-24765, you might also want to check these: