CVE-2024-54909

High

Published: 06 February 2025

Published

06 February 2025

Modified

15 April 2026

KEV Added

—

Patch

—

CVSS Score 8.1 CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N

EPSS Score 0.0018 39.8th percentile

Risk Priority 16 60% EPSS · 20% KEV · 20% CVSS

Description

A vulnerability has been identified in GoldPanKit eva-server v4.1.0. It affects the path parameter of the /api/resource/local/download endpoint, where manipulation of this parameter can lead to arbitrary file download.

Security Summary

CVE-2024-54909 is a path traversal vulnerability (CWE-22) in GoldPanKit eva-server version 4.1.0. It affects the path parameter of the /api/resource/local/download endpoint, where manipulation of this parameter enables arbitrary file downloads. The vulnerability carries a CVSS v3.1 base score of 8.1 (AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N), indicating high severity due to network accessibility, low attack complexity, and significant impacts on confidentiality and integrity.

An attacker requires low privileges (PR:L) to exploit this issue remotely over the network without user interaction. By crafting a malicious path parameter, the attacker can traverse directories and download arbitrary files from the server, potentially exposing sensitive data or enabling further compromise through integrity violations.

Mitigation details are available in the referenced GitHub issue at https://github.com/goldpankit/eva-springboot2/issues/2, published on 2025-02-06.

Details

CWE(s): CWE-22

References

https://github.com/goldpankit/eva-springboot2/issues/2
cve@mitre.org