CVE-2024-57669

CVE-2024-57669 is a Directory Traversal vulnerability (CWE-22) in the Zrlog backup-sql-file.jar plugin version 3.0.31. The flaw exists in the BackupController.java file and enables a remote attacker to obtain sensitive information. Published on 2025-02-03, it carries a CVSS v3.1 base score of 7.5 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N), indicating high confidentiality impact with no requirements for privileges or user interaction.

A remote, unauthenticated attacker can exploit this vulnerability over the network with low complexity. By crafting malicious requests to the affected BackupController endpoint, the attacker traverses directories to access and disclose sensitive files on the server, potentially exposing configuration data, database contents, or other arbitrary files readable by the application process.

Mitigation is addressed in a patch commit (32bdb36e6cc4f0b72e1ba85ef4458fb980946ea4) in the zrlog-plugin-backup-sql-file repository at https://github.com/94fzb/zrlog-plugin-backup-sql-file/commit/32bdb36e6cc4f0b72e1ba85ef4458fb980946ea4. Further details appear in Zrlog issue #193 (https://github.com/94fzb/zrlog/issues/193) and a vulnerable research repository (https://github.com/HypeDuke/vulnerable-research/blob/main/CVE-2024-57669). Security practitioners should update to the patched version and review access controls on backup endpoints.