Vulnerability Description
Crafatar serves Minecraft avatars based on the skin for use in external applications. Files outside of the `lib/public/` directory can be requested from the server. Instances running behind Cloudflare (including crafatar.com) are not affected. Instances using the Docker container as shown in the README are affected, but only files within the container can be read. By default, all of the files within the container can also be found in this repository and are not confidential. This vulnerability is patched in 2.1.5.
CVSS Score
HIGH
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| Crafatar | Crafatar | < 2.1.5 |
Related Weaknesses (CWE)
References
- https://github.com/crafatar/crafatar/blob/e0233f2899a3206a817d2dd3b80da83d51c7a7Product
- https://github.com/crafatar/crafatar/commit/bba004acc725b362a5d2d5dfe30cf60e7365Patch
- https://github.com/crafatar/crafatar/security/advisories/GHSA-5cxq-25mp-q5f2ExploitVendor Advisory
- https://github.com/crafatar/crafatar/blob/e0233f2899a3206a817d2dd3b80da83d51c7a7Product
- https://github.com/crafatar/crafatar/commit/bba004acc725b362a5d2d5dfe30cf60e7365Patch
- https://github.com/crafatar/crafatar/security/advisories/GHSA-5cxq-25mp-q5f2ExploitVendor Advisory
FAQ
What is CVE-2024-24756?
CVE-2024-24756 is a vulnerability with a CVSS score of 7.5 (HIGH). Crafatar serves Minecraft avatars based on the skin for use in external applications. Files outside of the `lib/public/` directory can be requested from the server. Instances running behind Cloudflare...
How severe is CVE-2024-24756?
CVE-2024-24756 has been rated HIGH with a CVSS base score of 7.5/10. Review the CVSS metrics above for detailed severity breakdown.
Is there a patch for CVE-2024-24756?
Check the references section above for vendor advisories and patch information. Affected products include: Crafatar Crafatar.