cbcvebase.
CVE-2024-9362
published 2025-03-20

CVE-2024-9362: An unauthenticated directory traversal vulnerability exists in Polyaxon, affecting the latest version. This vulnerability allows an attacker to retrieve…

PriorityP258high7.5CVSS 3.0
AVNACLPRNUINSUCHINAN
EXPLOIT
EPSS
4.25%
89.8th percentile
An unauthenticated directory traversal vulnerability exists in Polyaxon, affecting the latest version. This vulnerability allows an attacker to retrieve directory information and file contents from the server without proper authorization, leading to sensitive information disclosure. The issue enables access to system directories such as `/etc`, potentially resulting in significant security risks.

Affected

1 ranges
VendorProductVersion rangeFixed in
polyaxonpolyaxon_polyaxonunspecified – latest

Detection & IOCsextracted from sources · hover to see the quote

url/streams/v1/polyaxon/default/s/runs/%2e%2e/artifact?stream=true&path=../../../../etc/passwd
  • Look for unauthenticated GET requests to the Polyaxon streams API path containing URL-encoded dot-dot sequences (%2e%2e) and path traversal strings targeting /etc/passwd or other sensitive files.
  • A successful exploit returns HTTP 200 with the body matching the pattern 'root:.*:0:0:', indicating /etc/passwd content was disclosed.
  • FOFA query 'title=="Polyaxon"' can be used to identify exposed Polyaxon instances on the internet that may be vulnerable.
  • ·Exploit requires no authentication; any unauthenticated network request to the vulnerable endpoint is sufficient to trigger the vulnerability.
  • ·The vulnerability affects the latest version of Polyaxon at time of disclosure; the nuclei template is marked as verified with max-request of 1, meaning a single request is enough to confirm exploitation.
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.