StoneFly SCVM Vulnerability:
CVE-2024-31947
StoneFly Storage Concentrator (SC and SCVM) versions before 8.0.4.26 contain a vulnerability within the Online Help function. This vulnerability could be exploited by authenticated users to bypass directory restrictions and access unauthorized files on the system. These unauthorized files might contain sensitive system information.
Vulnerability Type
CWE-35: Path Traversal
Attack Vectors
An authenticated user submits a URL with a specially crafted path parameter to the Online Help facility with file path traversal and retrieve sensitive system files.
Attack Type
Remote
Affected Products
Storage Concentrator (SC) versions 8.0.4.25 and earlier.
Storage Concentrator Virtual Machine (SCVM) versions 8.0.4.25 and earlier.
Affected Component
The Online Help facility.
Remediation
StoneFly recommends upgrading to version 8.0.4.26 or later immediately. This update addresses the vulnerability and protects your system.
Additional Information
Acknowledgement
Credit to David Glenn Baylon at Aon Cyber Labs ([email protected]) for discovering this, and responsibly reporting and working with us!
Exploitation
StoneFly, Inc. is not aware of any malicious use of this vulnerability in the wild.