CVE-2024-10379

Name of the Vulnerable Software and Affected Versions ESAFENET CDG version 5

Description A problematic vulnerability was found in ESAFENET CDG, affecting the actionViewDecyptFile function in the /com/esafenet/servlet/client/DecryptApplicationService.java file. The vulnerability can be exploited by manipulating the decryptFileId argument with a specific input, such as ../../../Windows/System32/drivers/etc/hosts, leading to path traversal. The attack can be launched remotely. The affected function has a typo and is missing an 'R'. The vendor was contacted about this disclosure but did not respond.

Recommendations For ESAFENET CDG version 5, consider disabling the actionViewDecyptFile function until a patch is available to prevent path traversal attacks. Restrict access to the DecryptApplicationService.java file to minimize the risk of exploitation. Avoid using the decryptFileId argument in the affected function until the issue is resolved. At the moment, there is no information about a newer version that contains a fix for this vulnerability.