CVE-2024-23822 MEDIUM

CVE-2024-23822: Thruk Incorrect limitation of a pathname to a restricted directory (Path Traversal) (CWE-22)

Vendor Sni
Product Thruk
Weakness CWE-22 · Path traversal
Published January 29, 2024
Last update May 29, 2025

CVSS base score

5.4/10
Attack vector Network
Attack complexity Low
Privileges required Low
User interaction None
Confidentiality None
Integrity Low

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:L

What the vulnerability does

01Description

Thruk is a multibackend monitoring webinterface. Prior to 3.12, the Thruk web monitoring application presents a vulnerability in a file upload form that allows a threat actor to arbitrarily upload files to the server to any path they desire and have permissions for. This vulnerability is known as Path Traversal or Directory Traversal. Version 3.12 fixes the issue.

Key dates

02Disclosure timeline

January 29, 2024 CVE published
May 29, 2025 Record updated