CVE-2024-54453
Description
Path traversal in Kurmi Provisioning Suite's DocServlet lets unauthenticated attackers read arbitrary files, including source code.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Path traversal in Kurmi Provisioning Suite's DocServlet lets unauthenticated attackers read arbitrary files, including source code.
Vulnerability Description
The Kurmi Provisioning Suite contains a path traversal vulnerability in the DocServlet servlet. The issue is present in versions before 7.9.0.35, 7.10.x through 7.10.0.18, and 7.11.x through 7.11.0.15. By crafting a request with directory traversal sequences, a remote attacker can read any file within the Kurmi web application installation folder [2].
Exploitation
Exploitation does not require authentication because the DocServlet can be accessed from the network. An attacker only needs to send a specially crafted HTTP request to the server. The vulnerability lies in improper input validation, allowing the path to leave the intended directory [2].
Impact
Successful exploitation allows the attacker to retrieve sensitive files from the installation directory. This includes obfuscated or compiled Kurmi source code, configuration files, or any other file stored under the web application root. Exposed source code can reveal business logic, API keys, or further security weaknesses [2].
Mitigation
Kurmi Software has fixed the vulnerability in version 7.9.0.35, 7.10.0.18, and 7.11.0.15. Users should upgrade to these or later releases. The advisory with patch details is available on the vendor's site [2].
AI Insight generated on May 20, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
1- Range: before 7.9.0.35, 7.10.x before 7.10.0.18, 7.11.x before 7.11.0.15
Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
2News mentions
0No linked articles in our index yet.