CVE-2024-8524
Published: 20 March 2025
Description
Adversaries may search local system sources, such as file systems, configuration files, local databases, virtual machine files, or process memory, to find files of interest and sensitive data prior to Exfiltration.
Security Summary
CVE-2024-8524 is a directory traversal vulnerability (CWE-22) affecting modelscope/agentscope version 0.0.4. The flaw allows an attacker to read arbitrary local JSON files on the server by sending a specially crafted POST request to the /read-examples endpoint. It has a CVSS v3.1 base score of 7.5 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N), indicating high confidentiality impact with network accessibility, low attack complexity, and no requirements for privileges or user interaction.
Any unauthenticated remote attacker can exploit this vulnerability over the network without privileges. By crafting a malicious POST request to the exposed /read-examples endpoint, the attacker can traverse directories and access sensitive JSON files anywhere on the local filesystem, potentially exposing configuration data, credentials, or other confidential information stored in JSON format.
Details on mitigation, including any patches or workarounds, are available in the advisory published on Huntr at https://huntr.com/bounties/cc4acf33-700d-4220-8a8a-db28f5c4cc8f. Security practitioners should review this reference for remediation steps specific to modelscope/agentscope.
Details
- CWE(s)
Affected Products
MITRE ATT&CK Enterprise Techniques
Why these techniques?
Remote unauthenticated directory traversal in exposed web endpoint directly enables exploitation of public-facing application (T1190) and arbitrary local file reads for data collection (T1005).