CVE-2024-37825

Vulnerability

Overview

CVE-2024-37825 is a directory traversal vulnerability in EnvisionWare Computer Access & Reservation Control SelfCheck v1.0. The flaw allows unauthenticated attackers on the same network to traverse directories and access files outside the intended web root, potentially exposing sensitive data stored on the host system. The vulnerability exists in the application server component of the SelfCheck software [1][2].

Attack

Vector and Exploitation

The attack vector is network-based, requiring the attacker to be on the same network as the vulnerable SelfCheck server. No authentication is needed, making it easier for an unauthenticated remote attacker to exploit the issue. The directory traversal enables reading arbitrary files from the server's filesystem by manipulating path sequences in HTTP requests [2].

Impact and

Remediation

Successful exploitation could allow an attacker to read sensitive configuration files, credentials, or other data stored on the underlying host. This could facilitate further targeted attacks to compromise the SelfCheck server or the broader network. EnvisionWare has addressed the issue in the OneStop 3.2.0.27184 Hotfix, released in May 2024. It was not disclosed which prior software versions are affected beyond SelfCheck v1.0 [2].