Search
Find a vulnerability
Search criteria
ⓘ
Use this form to refine search results.
Full-text search supports keyword queries with ranking and filtering.
You can combine vendor, product, and sources to narrow results.
Enable “Apply ordering” to sort by date instead of relevance.
2 vulnerabilities by crafatar
CVE-2024-24756 (GCVE-0-2024-24756)
Vulnerability from nvd – Published: 2024-02-01 22:38 – Updated: 2025-05-15 19:51
VLAI
Title
Crafatar path traversal vulnerability
Summary
Crafatar serves Minecraft avatars based on the skin for use in external applications. Files outside of the `lib/public/` directory can be requested from the server. Instances running behind Cloudflare (including crafatar.com) are not affected. Instances using the Docker container as shown in the README are affected, but only files within the container can be read. By default, all of the files within the container can also be found in this repository and are not confidential. This vulnerability is patched in 2.1.5.
Severity
7.5 (High)
SSVC
Exploitation: poc
Automatable: yes
Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
- CWE-22 - Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')
Assigner
References
3 references
| URL | Tags |
|---|---|
| https://github.com/crafatar/crafatar/security/adv… | x_refsource_CONFIRM |
| https://github.com/crafatar/crafatar/commit/bba00… | x_refsource_MISC |
| https://github.com/crafatar/crafatar/blob/e0233f2… | x_refsource_MISC |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-01T23:28:12.239Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"name": "https://github.com/crafatar/crafatar/security/advisories/GHSA-5cxq-25mp-q5f2",
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://github.com/crafatar/crafatar/security/advisories/GHSA-5cxq-25mp-q5f2"
},
{
"name": "https://github.com/crafatar/crafatar/commit/bba004acc725b362a5d2d5dfe30cf60e7365a373",
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/crafatar/crafatar/commit/bba004acc725b362a5d2d5dfe30cf60e7365a373"
},
{
"name": "https://github.com/crafatar/crafatar/blob/e0233f2899a3206a817d2dd3b80da83d51c7a726/lib/server.js#L64-L67",
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/crafatar/crafatar/blob/e0233f2899a3206a817d2dd3b80da83d51c7a726/lib/server.js#L64-L67"
}
],
"title": "CVE Program Container"
},
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2024-24756",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-05-08T18:36:57.414204Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-05-15T19:51:16.229Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "crafatar",
"vendor": "crafatar",
"versions": [
{
"status": "affected",
"version": "\u003c 2.1.5"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Crafatar serves Minecraft avatars based on the skin for use in external applications. Files outside of the `lib/public/` directory can be requested from the server. Instances running behind Cloudflare (including crafatar.com) are not affected. Instances using the Docker container as shown in the README are affected, but only files within the container can be read. By default, all of the files within the container can also be found in this repository and are not confidential. This vulnerability is patched in 2.1.5."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-22",
"description": "CWE-22: Improper Limitation of a Pathname to a Restricted Directory (\u0027Path Traversal\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-02-01T22:38:20.120Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/crafatar/crafatar/security/advisories/GHSA-5cxq-25mp-q5f2",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/crafatar/crafatar/security/advisories/GHSA-5cxq-25mp-q5f2"
},
{
"name": "https://github.com/crafatar/crafatar/commit/bba004acc725b362a5d2d5dfe30cf60e7365a373",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/crafatar/crafatar/commit/bba004acc725b362a5d2d5dfe30cf60e7365a373"
},
{
"name": "https://github.com/crafatar/crafatar/blob/e0233f2899a3206a817d2dd3b80da83d51c7a726/lib/server.js#L64-L67",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/crafatar/crafatar/blob/e0233f2899a3206a817d2dd3b80da83d51c7a726/lib/server.js#L64-L67"
}
],
"source": {
"advisory": "GHSA-5cxq-25mp-q5f2",
"discovery": "UNKNOWN"
},
"title": "Crafatar path traversal vulnerability"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2024-24756",
"datePublished": "2024-02-01T22:38:20.120Z",
"dateReserved": "2024-01-29T20:51:26.010Z",
"dateUpdated": "2025-05-15T19:51:16.229Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2024-24756 (GCVE-0-2024-24756)
Vulnerability from cvelistv5 – Published: 2024-02-01 22:38 – Updated: 2025-05-15 19:51
VLAI
Title
Crafatar path traversal vulnerability
Summary
Crafatar serves Minecraft avatars based on the skin for use in external applications. Files outside of the `lib/public/` directory can be requested from the server. Instances running behind Cloudflare (including crafatar.com) are not affected. Instances using the Docker container as shown in the README are affected, but only files within the container can be read. By default, all of the files within the container can also be found in this repository and are not confidential. This vulnerability is patched in 2.1.5.
Severity
7.5 (High)
SSVC
Exploitation: poc
Automatable: yes
Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
- CWE-22 - Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')
Assigner
References
3 references
| URL | Tags |
|---|---|
| https://github.com/crafatar/crafatar/security/adv… | x_refsource_CONFIRM |
| https://github.com/crafatar/crafatar/commit/bba00… | x_refsource_MISC |
| https://github.com/crafatar/crafatar/blob/e0233f2… | x_refsource_MISC |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-01T23:28:12.239Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"name": "https://github.com/crafatar/crafatar/security/advisories/GHSA-5cxq-25mp-q5f2",
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://github.com/crafatar/crafatar/security/advisories/GHSA-5cxq-25mp-q5f2"
},
{
"name": "https://github.com/crafatar/crafatar/commit/bba004acc725b362a5d2d5dfe30cf60e7365a373",
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/crafatar/crafatar/commit/bba004acc725b362a5d2d5dfe30cf60e7365a373"
},
{
"name": "https://github.com/crafatar/crafatar/blob/e0233f2899a3206a817d2dd3b80da83d51c7a726/lib/server.js#L64-L67",
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/crafatar/crafatar/blob/e0233f2899a3206a817d2dd3b80da83d51c7a726/lib/server.js#L64-L67"
}
],
"title": "CVE Program Container"
},
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2024-24756",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-05-08T18:36:57.414204Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-05-15T19:51:16.229Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "crafatar",
"vendor": "crafatar",
"versions": [
{
"status": "affected",
"version": "\u003c 2.1.5"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Crafatar serves Minecraft avatars based on the skin for use in external applications. Files outside of the `lib/public/` directory can be requested from the server. Instances running behind Cloudflare (including crafatar.com) are not affected. Instances using the Docker container as shown in the README are affected, but only files within the container can be read. By default, all of the files within the container can also be found in this repository and are not confidential. This vulnerability is patched in 2.1.5."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-22",
"description": "CWE-22: Improper Limitation of a Pathname to a Restricted Directory (\u0027Path Traversal\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-02-01T22:38:20.120Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/crafatar/crafatar/security/advisories/GHSA-5cxq-25mp-q5f2",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/crafatar/crafatar/security/advisories/GHSA-5cxq-25mp-q5f2"
},
{
"name": "https://github.com/crafatar/crafatar/commit/bba004acc725b362a5d2d5dfe30cf60e7365a373",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/crafatar/crafatar/commit/bba004acc725b362a5d2d5dfe30cf60e7365a373"
},
{
"name": "https://github.com/crafatar/crafatar/blob/e0233f2899a3206a817d2dd3b80da83d51c7a726/lib/server.js#L64-L67",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/crafatar/crafatar/blob/e0233f2899a3206a817d2dd3b80da83d51c7a726/lib/server.js#L64-L67"
}
],
"source": {
"advisory": "GHSA-5cxq-25mp-q5f2",
"discovery": "UNKNOWN"
},
"title": "Crafatar path traversal vulnerability"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2024-24756",
"datePublished": "2024-02-01T22:38:20.120Z",
"dateReserved": "2024-01-29T20:51:26.010Z",
"dateUpdated": "2025-05-15T19:51:16.229Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}