cbcvebase.
CVE-2024-31849
published 2024-04-05

CVE-2024-31849: A path traversal vulnerability exists in the Java version of CData Connect < 23.4.8846 when running using the embedded Jetty server, which could allow an…

PriorityP276critical9.8CVSS 3.1
AVNACLPRNUINSUCHIHAH
EXPLOIT
EPSS
6.08%
92.5th percentile
A path traversal vulnerability exists in the Java version of CData Connect < 23.4.8846 when running using the embedded Jetty server, which could allow an unauthenticated remote attacker to gain complete administrative access to the application.

Affected

1 ranges
VendorProductVersion rangeFixed in
cdataconnect< 23.4.884623.4.8846

Detection & IOCsextracted from sources · hover to see the quote

path/src/getSettings.rsb
path/login.rst
cookieapiserver_jsessionid
  • Detect path traversal attempts using backslash characters in URIs targeting CData Connect. Look for HTTP requests containing '/ui/..\src\' patterns, which Jetty does not reject unlike Tomcat.
  • In HTTP response bodies, match on the combination of '"items":[{', ':"true"', and 'notifyemail' to confirm successful exploitation of the getSettings endpoint.
  • The vulnerability requires the application to be running with the embedded Jetty server. Deployments on Tomcat are not affected as Tomcat rejects backslash characters in URIs.
  • The attack bypasses security constraints defined in web.xml by exploiting how Jetty processes servlet mappings and security constraints in ways unintended by CData, combined with missing session checks on endpoints.
  • ·Vulnerability only affects the Java version of CData Connect running with the embedded Jetty server. Deployments using Tomcat are not vulnerable.
  • ·The exploit is unauthenticated — no credentials or session token are required to achieve full administrative access.
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.