CVE-2024-35474 identifies a directory traversal vulnerability in the iceice666 ResourcePack Server software, specifically in versions before 1.0.8. The vulnerability resides in the setPath method of the ResourcePackFileServer.kt component, where insufficient validation of user-supplied file paths allows attackers to traverse directories and access files outside the intended resource directory. This flaw can be exploited remotely without requiring user interaction, and only low-level privileges are needed, making it relatively easy to exploit over a network. The primary impact is unauthorized disclosure of sensitive files on the server, potentially exposing configuration files, credentials, or other critical data. The vulnerability is categorized under CWE-22 (Improper Limitation of a Pathname to a Restricted Directory). The CVSS v3.1 base score of 6.5 reflects a medium severity, with high confidentiality impact but no impact on integrity or availability. No known public exploits or patches have been reported at the time of publication, but the vendor has released version 1.0.8 to address this issue. Organizations using this software, often in gaming or modding environments, should be aware of the risk of data leakage and take immediate steps to update or mitigate the vulnerability.

The primary impact of CVE-2024-35474 is unauthorized disclosure of sensitive server files, which can lead to leakage of configuration data, credentials, or other private information. This can facilitate further attacks such as privilege escalation, lateral movement, or targeted exploitation if attackers gain insight into the server environment. Although the vulnerability does not affect data integrity or availability, the confidentiality breach alone can have significant consequences, especially if sensitive or proprietary information is exposed. Organizations running the iceice666 ResourcePack Server in production or public-facing environments are at risk of data exposure. The ease of remote exploitation without user interaction or high privileges increases the threat level, potentially affecting a broad range of deployments. The absence of known exploits in the wild currently limits immediate widespread impact, but the vulnerability remains a critical concern until patched.

To mitigate CVE-2024-35474, organizations should immediately upgrade to iceice666 ResourcePack Server version 1.0.8 or later once available, as this version addresses the directory traversal flaw. In the interim, implement strict input validation on file path parameters to ensure that user-supplied paths cannot traverse outside designated directories. Employ access controls and file system permissions to restrict the server process from reading sensitive files outside the intended resource directories. Network-level protections such as firewalls or web application firewalls (WAFs) can be configured to detect and block suspicious path traversal patterns in requests. Regularly audit server logs for unusual file access attempts. Additionally, isolate the ResourcePack Server in a segmented network zone to limit exposure. Educate developers and administrators about secure coding practices regarding path handling to prevent similar vulnerabilities in the future.