CVE-2024-48735 is a directory traversal vulnerability affecting SAS Studio 9.4, specifically in the endpoint /SASStudio/sasexec/sessions/{sessionID}/workspace/{InternalPath}. This flaw allows an attacker who has some level of authenticated access (PR:L) to manipulate the InternalPath parameter to traverse directories and access files outside the intended workspace directory. The vulnerability arises because the application insufficiently validates or sanitizes the file path input, enabling traversal sequences (e.g., ../) to access arbitrary files on the server filesystem. The vendor disputes the classification of this as a vulnerability, arguing that the filesystem paths accessible are intended for authorized users only. However, the vulnerability can lead to unauthorized disclosure of sensitive files if an attacker can leverage limited privileges to access files beyond their authorized scope. The CVSS v3.1 vector (AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:N) indicates that the attack is network-based, requires low attack complexity, needs privileges but no user interaction, and impacts confidentiality with a scope change. No patches or exploits are currently publicly available, but the vulnerability is significant due to the potential exposure of sensitive internal files in enterprise environments using SAS Studio 9.4.

The primary impact of CVE-2024-48735 is the unauthorized disclosure of sensitive information stored on servers running SAS Studio 9.4. Organizations using this software for analytics and data processing may have critical internal files, configuration files, or data files exposed if an attacker can exploit this vulnerability. Since the vulnerability requires some level of authenticated access, the risk is elevated in environments where user credentials are weak, shared, or compromised. The confidentiality breach could lead to leakage of proprietary data, intellectual property, or personally identifiable information (PII), potentially resulting in regulatory non-compliance, reputational damage, and financial loss. The vulnerability does not affect integrity or availability directly but can be a stepping stone for further attacks. Given SAS Studio's use in industries such as finance, healthcare, and government, the impact can be severe in these sectors. The lack of known exploits reduces immediate risk, but the high CVSS score suggests that attackers may develop exploits, especially in targeted attacks.

To mitigate CVE-2024-48735, organizations should first verify and restrict user privileges within SAS Studio to the minimum necessary, ensuring that users cannot access unauthorized sessions or workspaces. Implement strict input validation and sanitization on the InternalPath parameter to prevent directory traversal sequences. If possible, apply virtual path mapping or sandboxing to confine file access strictly within authorized directories. Monitor and audit file access logs for unusual or unauthorized file retrieval attempts. Employ network segmentation and access controls to limit exposure of SAS Studio servers to trusted networks and users only. Since no official patches are currently available, consider contacting the vendor for guidance or temporary workarounds. Additionally, enforce strong authentication mechanisms, including multi-factor authentication, to reduce the risk of credential compromise. Regularly update and patch SAS Studio and related components once vendor fixes are released. Finally, conduct security assessments and penetration tests focusing on file access controls to detect similar vulnerabilities.