CVE-2024-54909
📋 TL;DR
This vulnerability in GoldPanKit eva-server v4.1.0 allows attackers to download arbitrary files from the server by manipulating the path parameter in the /api/resource/local/download endpoint. It affects systems running the vulnerable version of eva-server, potentially exposing sensitive configuration files, credentials, or other critical data.
💻 Affected Systems
- GoldPanKit eva-server
⚠️ Manual Verification Required
This CVE does not have specific version information in our database, so automatic vulnerability detection cannot determine if your system is affected.
Why? The CVE database entry doesn't specify which versions are vulnerable (no version ranges provided by the vendor/NVD).
🔒 Custom verification scripts are available for registered users. Sign up free to download automated test scripts.
- Review the CVE details at NVD
- Check vendor security advisories for your specific version
- Test if the vulnerability is exploitable in your environment
- Consider updating to the latest version as a precaution
⚠️ Risk & Real-World Impact
Worst Case
Complete server compromise through downloading sensitive files like configuration files, SSH keys, or database credentials, leading to data theft, privilege escalation, or lateral movement.
Likely Case
Unauthorized access to sensitive files containing application configuration, logs, or user data, resulting in data exposure and potential compliance violations.
If Mitigated
Limited impact with proper file system permissions and network segmentation preventing access to critical system files.
🎯 Exploit Status
The vulnerability appears to be straightforward to exploit by manipulating URL parameters, though no public exploit code has been identified.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: Version after v4.1.0 (check GitHub repository for latest)
Vendor Advisory: https://github.com/goldpankit/eva-springboot2/issues/2
Restart Required: Yes
Instructions:
1. Check the GitHub repository for the latest version. 2. Update eva-server to the patched version. 3. Restart the eva-server service. 4. Verify the fix by testing the vulnerable endpoint.
🔧 Temporary Workarounds
Disable vulnerable endpoint
allTemporarily disable or restrict access to the /api/resource/local/download endpoint
# Configure web server (nginx/apache) to block the endpoint
# Example nginx: location /api/resource/local/download { deny all; }
Implement input validation
allAdd server-side validation to restrict path parameter to allowed directories
# Implement path traversal prevention in the application code
# Validate that requested files are within allowed directories
🧯 If You Can't Patch
- Implement strict network access controls to limit who can access the vulnerable endpoint
- Deploy a web application firewall (WAF) with path traversal protection rules
🔍 How to Verify
Check if Vulnerable:
Test the /api/resource/local/download endpoint with path traversal attempts (e.g., ../../../etc/passwd) and check if arbitrary files can be downloaded.Check Version:
# Check eva-server version in application logs or configuration filesVerify Fix Applied:
After patching, repeat the vulnerability test to confirm arbitrary file downloads are no longer possible.📡 Detection & Monitoring
Log Indicators:
- Unusual requests to /api/resource/local/download with path traversal patterns
- Multiple failed attempts to access sensitive file paths
Network Indicators:
- HTTP requests containing ../ patterns in URL parameters
- Unusual file download patterns from the API endpoint
SIEM Query:
source="web_server" AND url="/api/resource/local/download" AND (url CONTAINS "../" OR url CONTAINS "..\")