CVE-2024-37372: Path Traversal
Published Jan 9, 2025
·Updated
The Permission Model assumes that any path starting with two backslashes \ has a four-character prefix that can be ignored, which is not always true. This subtle bug leads to vulnerable edge cases.
Affected Software
2 affected components
IBM Controller<=11.1.0
IBM Controller<=11.0.0 - 11.0.1
Event History
Jan 9, 2025
CVE Published
via MITRE·12:33 AM
Data Sourced
via MITRE·12:33 AM
DescriptionSeverity
Data Sourced
via NVD·01:15 AM
DescriptionSeverityWeakness
Feb 28, 2025
Data Sourced
via IBM·12:00 AM
DescriptionAffected Software
Frequently Asked Questions
1
What is the severity of CVE-2024-37372?
CVE-2024-37372 is considered a high severity vulnerability due to its potential for remote exploitation.
2
How do I fix CVE-2024-37372?
To fix CVE-2024-37372, users should update IBM Planning Analytics to version 2.1 or later.
3
What products are affected by CVE-2024-37372?
CVE-2024-37372 affects IBM Planning Analytics versions up to and including 2.1 and 2.0.
4
What type of attack can exploit CVE-2024-37372?
CVE-2024-37372 can be exploited by attackers through improper processing of UNC paths leading to potential security bypass.
5
What is the primary cause of CVE-2024-37372?
CVE-2024-37372 is caused by the Permission Model's improper handling of paths that start with two backslashes.