Login Sign Up

CVE-2024-30265

7.5 HIGH

📋 TL;DR

CVE-2024-30265 is a local file inclusion vulnerability in Voilà dashboard deployments that allows attackers to download any file readable by the server process. This affects any Voilà deployment where the dashboard is accessible over the network, potentially exposing sensitive configuration files, credentials, or other system data. The risk level depends on whether authentication is required for the Voilà dashboard.

💻 Affected Systems

Products:
  • Voilà Dashboard
Versions: All versions before 0.2.17, 0.3.8, 0.4.4, and 0.5.6
Operating Systems: All
Default Config Vulnerable: ⚠️ Yes
Notes: The vulnerability exists in any Voilà deployment where the dashboard is accessible over the network. The impact depends on the server's file permissions and whether authentication is enabled for the dashboard.

⚠️ Manual Verification Required

This CVE does not have specific version information in our database, so automatic vulnerability detection cannot determine if your system is affected.

Why? The CVE database entry doesn't specify which versions are vulnerable (no version ranges provided by the vendor/NVD).

🔒 Custom verification scripts are available for registered users. Sign up free to download automated test scripts.

Recommended Actions:
  1. Review the CVE details at NVD
  2. Check vendor security advisories for your specific version
  3. Test if the vulnerability is exploitable in your environment
  4. Consider updating to the latest version as a precaution

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete server compromise through exposure of sensitive files like SSH keys, configuration files with credentials, or system files that enable privilege escalation.

🟠

Likely Case

Exfiltration of sensitive application data, configuration files, or user data stored in accessible directories.

🟢

If Mitigated

Limited impact if proper network segmentation, authentication, and file permissions are in place to restrict access to sensitive files.

🌐 Internet-Facing: HIGH
🏢 Internal Only: MEDIUM

🎯 Exploit Status

Public PoC: ✅ No
Weaponized: UNKNOWN
Unauthenticated Exploit: ⚠️ Yes
Complexity: LOW

Exploitation is straightforward via crafted HTTP requests to access local files. Whether authentication is required depends on the specific Voilà deployment configuration.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 0.2.17, 0.3.8, 0.4.4, or 0.5.6 depending on your version line

Vendor Advisory: https://github.com/voila-dashboards/voila/security/advisories

Restart Required: Yes

Instructions:

1. Identify your current Voilà version. 2. Upgrade to the patched version for your release line: 0.2.x → 0.2.17, 0.3.x → 0.3.8, 0.4.x → 0.4.4, 0.5.x → 0.5.6. 3. Restart the Voilà service.

🔧 Temporary Workarounds

Network Access Restriction

linux

Restrict network access to Voilà dashboard using firewall rules or network segmentation

iptables -A INPUT -p tcp --dport [voila_port] -s [trusted_network] -j ACCEPT
iptables -A INPUT -p tcp --dport [voila_port] -j DROP

Authentication Enforcement

all

Ensure Voilà dashboard requires authentication if not already configured

🧯 If You Can't Patch

  • Implement strict network access controls to limit Voilà dashboard access to trusted IPs only
  • Run Voilà with minimal file system permissions using a dedicated low-privilege user account

🔍 How to Verify

Check if Vulnerable:

Check if your Voilà version is below the patched versions: 0.2.17, 0.3.8, 0.4.4, or 0.5.6

Check Version:

voila --version

Verify Fix Applied:

Confirm version is at or above the patched version for your release line and test that local file inclusion attempts are blocked

📡 Detection & Monitoring

Log Indicators:

  • Unusual file path access patterns in Voilà logs
  • Requests for known sensitive file paths like /etc/passwd, configuration files

Network Indicators:

  • HTTP requests with path traversal patterns to Voilà dashboard endpoints

SIEM Query:

source="voila.log" AND (url="*../*" OR url="*/etc/*" OR url="*/proc/*" OR url="*/sys/*")

📊 Metadata

CVE ID: CVE-2024-30265
CVSS v3 Score: 7.5 (HIGH)
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
CWE: CWE-73
Published: April 3, 2024
Last Updated: November 21, 2024

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2024-30265, you might also want to check these:

CVE-2026-27211 10.0

Cloud Hypervisor versions 34.0 through 50.0 are vulnerable to host file exfiltration when using virt...

Same vulnerability type (CWE-73)
CVE-2024-55371 9.8

Wallos versions up to 2.38.2 contain a file upload vulnerability in the restore backup function that...

Same vulnerability type (CWE-73)
CVE-2025-29708 9.8

SourceCodester Company Website CMS 1.0 contains an unauthenticated file upload vulnerability in the ...

Same vulnerability type (CWE-73)