Vulnerability DatabaseCVE-2024-49380

CVE-2024-49380:
Linux openSUSE vulnerability analysis and mitigation

Overview

Plenti, a static site generator, contains an arbitrary file write vulnerability (CVE-2024-49380) in versions prior to 0.7.2. The vulnerability specifically affects the /postLocal endpoint when a plenti user serves their website. The issue was discovered on October 9, 2024, and was fixed with the release of version 0.7.2 on October 11, 2024 (GitHub Release, GitHub Advisory).

Technical details

The vulnerability exists in the /postLocal endpoint within the serve.go file. When processing POST requests, the endpoint fails to properly validate file paths before writing files to the system. The vulnerability has received a CVSS v4.0 score of 8.9 (HIGH) with the following vector: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:P (NVD CVSS).

Impact

The vulnerability can lead to Remote Code Execution (RCE) on affected systems. An attacker could potentially write arbitrary files to the system, which could be leveraged to execute malicious code (GitHub Advisory).

Mitigation and workarounds

Users should upgrade to Plenti version 0.7.2 or later, which contains the fix for this vulnerability. The fix ensures that the /postLocal endpoint is properly contained to the project directory (GitHub Release).

Additional resources

Source: This report was generated using AI

Related Linux openSUSE vulnerabilities:

CVE ID	Severity	Score	Technologies	Component name	CISA KEV exploit	Has fix	Published date
CVE-2025-13470	HIGH	7.7	Linux Debian	rnp	No	Yes	Nov 21, 2025
CVE-2025-61915	MEDIUM	6	OpenPrinting CUPS	libcups2-32bit	No	Yes	Nov 29, 2025
CVE-2025-58436	MEDIUM	5.1	OpenPrinting CUPS	cups-devel	No	Yes	Nov 29, 2025
CVE-2025-9820	N/A	N/A	GnuTLS	gnutls28	No	Yes	Nov 21, 2025
CVE-2025-13402	N/A	N/A	Linux Fedora	librnp	No	Yes	Nov 21, 2025