CVE-2024-54452
Description
An issue was discovered in Kurmi Provisioning Suite before 7.9.0.35 and 7.10.x through 7.10.0.18. A Directory Traversal and Local File Inclusion vulnerability in the logsSys.do page allows remote attackers (authenticated as administrators) to trigger the display of unintended files. Any file accessible to the Kurmi user account could be displayed, e.g., configuration files with information such as the database password.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Directory traversal and local file inclusion in Kurmi Provisioning Suite allows authenticated admins to read arbitrary files, including database passwords.
Vulnerability
Overview
The vulnerability is a directory traversal and local file inclusion flaw in the logsSys.do page of Kurmi Provisioning Suite. The page fails to properly validate user-supplied paths, allowing an authenticated administrator to navigate the filesystem and include arbitrary files [2].
Exploitation
An attacker must first authenticate as an administrator to the Kurmi Provisioning Suite. Once authenticated, they can craft a malicious request to the logsSys.do endpoint with a path traversal sequence (e.g., ../) to read files outside the intended log directory. No additional privileges are required beyond admin access [2].
Impact
Successful exploitation enables the attacker to read any file accessible to the Kurmi user account on the server. This includes sensitive configuration files that may contain database passwords, LDAP credentials, or other secrets, leading to further compromise of the system [2].
Mitigation
Kurmi Software has released patched versions 7.9.0.35 and 7.10.0.18 to address this issue. Users are advised to upgrade immediately. No workarounds have been published [2].
AI Insight generated on May 20, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
2News mentions
0No linked articles in our index yet.