CVE-2024-27630

HIGH

GNU Savane < 3.13 - Unauthenticated Arbitrary File Deletion via trackers_data_delete_file Function

Title source: llm
STIX 2.1

Exploitation Summary

EIP tracks 1 public exploit for CVE-2024-27630. PoCs published by ally-petitt.

AI-analyzed exploit summary CVE-2024-27630 is an Insecure Direct Object Reference (IDOR) vulnerability in Savane v3.12 and prior, allowing authenticated administrators to delete arbitrary file attachments by manipulating the `file_id` parameter. The vulnerability arises due to insufficient validation in the `trackers_data_delete_file` function.

Description

Insecure Direct Object Reference (IDOR) in GNU Savane v.3.12 and before allows a remote attacker to delete arbitrary files via crafted input to the trackers_data_delete_file function.

Exploits (1)

nomisec WRITEUP
by ally-petitt · poc
https://github.com/ally-petitt/CVE-2024-27630

CVE-2024-27630 is an Insecure Direct Object Reference (IDOR) vulnerability in Savane v3.12 and prior, allowing authenticated administrators to delete arbitrary file attachments by manipulating the `file_id` parameter. The vulnerability arises due to insufficient validation in the `trackers_data_delete_file` function.

Classification
Writeup 100%
Attack Type
Auth Bypass
Complexity
Trivial
Reliability
Reliable
Target: Savane v3.12 and prior
Auth required
Prerequisites: Authenticated administrator access to a group with a bug tracker
devstral-2 · analyzed Feb 16, 2026 Full analysis →

References (2)

Core 2
Core References
Exploit, Mitigation, Third Party Advisory
https://github.com/ally-petitt/CVE-2024-27630

Scores

CVSS v3 7.5
EPSS 0.0082
EPSS Percentile 52.4%
Attack Vector NETWORK
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

CISA SSVC

Vulnrichment
Exploitation poc
Automatable yes
Technical Impact partial

Details

CWE
CWE-639
Status published
Products (1)
gnu/savane < 3.13
Published Apr 08, 2024
Tracked Since Feb 18, 2026