CVE-2024-11314: 
NixOS vulnerability analysis and mitigation

The DVC from TRCore has a Path Traversal vulnerability and does not restrict the types of uploaded files, identified as CVE-2024-11314. This vulnerability affects DVC versions 6.0 through 6.3. The vulnerability was discovered and reported by Kun Xian Lin from DEVCORE and was publicly disclosed on November 18, 2024. The issue has been assigned a Critical CVSS v3.1 score of 9.8 (TWCERT/CC).

The vulnerability combines two critical security weaknesses: Path Traversal (CWE-22/CWE-23) and Unrestricted Upload of File with Dangerous Type (CWE-434). The vulnerability allows unauthenticated remote attackers to upload arbitrary files to any directory on the system. The severity is reflected in its CVSS v3.1 score of 9.8 (Critical) with the vector string CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H, indicating network accessibility, low attack complexity, and no required privileges or user interaction (NVD).

The vulnerability enables attackers to upload arbitrary files to any directory on the affected system. Most critically, attackers can upload webshells, leading to arbitrary code execution on the target system. This level of access could potentially result in complete system compromise (TWCERT/CC).

Users are advised to update to DVC version 6.4 or later to address this vulnerability (TWCERT/CC).