CVE-2024-31457Path Traversal in Gin-vue-admin

CWE-22Path Traversal5 documents4 sources
Severity
7.7HIGHNVD
EPSS
0.3%
top 43.95%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
2
Flipped-aurora Gin-vue-adminGithub.com Flipped-aurora Gin-vue-admin Server
Timeline
PublishedApr 9
Latest updateMay 20

Description

gin-vue-admin is a backstage management system based on vue and gin, which separates the front and rear of the full stack. gin-vue-admin pseudoversion 0.0.0-20240407133540-7bc7c3051067, corresponding to version 2.6.1, has a code injection vulnerability in the backend. In the Plugin System -> Plugin Template feature, an attacker can perform directory traversal by manipulating the `plugName` parameter. They can create specific folders such as `api`, `config`, `global`, `model`, `router`, `service`

CVSS vector

CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:C/C:N/I:H/A:HExploitability: 1.3 | Impact: 5.8

Affected Packages2 packages

Gogithub.com/flipped-aurora_gin-vue-admin_server< 0.0.0-20240409100909-b1b7427c6ea6
CVEListV5flipped-aurora/gin-vue-admin< 0.0.0-20240409100909-b1b7427c6ea6

🔴Vulnerability Details

4
OSV
Code injection vulnerability in github.com/flipped-aurora/gin-vue-admin/server2024-05-20
CVEList
gin-vue-admin background arbitrary code coverage vulnerability2024-04-09
GHSA
gin-vue-admin background arbitrary code coverage vulnerability2024-04-09
OSV
gin-vue-admin background arbitrary code coverage vulnerability2024-04-09
CVE-2024-31457 — Path Traversal in Gin-vue-admin | cvebase