CVE-2024-54453 is a path traversal vulnerability identified in the DocServlet servlet component of Kurmi Provisioning Suite versions before 7.9.0.35, 7.10.x through 7.10.0.18, and 7.11.x through 7.11.0.15. The vulnerability allows remote attackers to manipulate file path parameters to access arbitrary files within the web application’s installation directory. This occurs because the servlet does not properly sanitize or validate user-supplied input used to construct file paths, enabling traversal sequences (e.g., ../) to escape the intended directory boundaries. As a result, attackers can retrieve sensitive files such as configuration files, obfuscated or compiled source code, and other critical data stored on the server. The vulnerability has a CVSS 3.1 base score of 7.5, reflecting its network attack vector, low attack complexity, no required privileges or user interaction, and a high impact on confidentiality without affecting integrity or availability. No patches or exploit code are currently publicly available, but the flaw represents a serious risk due to the sensitive nature of the exposed information and the potential for further exploitation based on the disclosed data.

The primary impact of CVE-2024-54453 is unauthorized disclosure of sensitive information, which can compromise the confidentiality of the Kurmi Provisioning Suite environment. Exposure of source code or configuration files may enable attackers to discover additional vulnerabilities, develop targeted exploits, or gain insights into the internal workings of the application. This can lead to further attacks such as privilege escalation, data manipulation, or lateral movement within affected networks. Since the vulnerability requires no authentication and can be exploited remotely, it poses a significant risk to organizations relying on Kurmi for provisioning and management tasks. The lack of impact on integrity and availability limits the immediate operational disruption but does not diminish the potential long-term security consequences. Organizations in telecommunications, managed services, or enterprises using Kurmi could face data breaches, intellectual property theft, and compliance violations if this vulnerability is exploited.

To mitigate CVE-2024-54453, organizations should immediately upgrade Kurmi Provisioning Suite to versions 7.9.0.35 or later, 7.10.x beyond 7.10.0.18, or 7.11.x beyond 7.11.0.15 once patches are released. Until official patches are available, administrators should restrict access to the DocServlet servlet by implementing network-level controls such as IP whitelisting or firewall rules to limit exposure to trusted management networks only. Additionally, web application firewalls (WAFs) can be configured to detect and block path traversal patterns in HTTP requests targeting the servlet. Reviewing and hardening file permissions on the server to prevent unauthorized read access to sensitive files can reduce the impact of successful exploitation. Monitoring web server logs for suspicious requests containing traversal sequences and unusual file access attempts can provide early detection. Finally, organizations should conduct thorough security assessments of their Kurmi deployments and ensure that sensitive files are not unnecessarily stored in web-accessible directories.