CVE-2024-31848

Name of the Vulnerable Software and Affected Versions CData API Server versions prior to 23.4.8844

Description A path traversal vulnerability exists in the Java version of CData API Server when running using the embedded Jetty server. This could allow an unauthenticated remote attacker to gain complete administrative access to the application. The issue is related to errors in handling relative path to directory due to the lack of session checking for endpoints. Exploitation of the vulnerability may allow a remote attacker to elevate privileges by sending specially crafted HTTP requests. Over 2,500 services are potentially affected.

Recommendations For versions prior to 23.4.8844, update to version 23.4.8844 or later to resolve the issue. As a temporary workaround, consider restricting access to the embedded Jetty server until a patch is applied. Avoid using the vulnerable CData API Server with the embedded Jetty server for sensitive applications until the issue is resolved.