CVE-2024-49359

Name of the Vulnerable Software and Affected Versions ZimaOS versions 1.2.4 and earlier

Description The issue allows authenticated users to perform a directory traversal attack via the API endpoint http://<Zima Server IP:PORT>/v2 1/file, enabling access to sensitive system directories such as /etc. This could expose critical configuration files and increase the risk of further attacks.

Recommendations For ZimaOS versions 1.2.4 and earlier, as a temporary workaround, consider restricting access to the http://<Zima Server IP:PORT>/v2 1/file API endpoint until a patch is available. At the moment, there is no information about a newer version that contains a fix for this vulnerability.