CVE-2024-7340

HIGH NUCLEI

Pypi Weave < 0.50.8 - Path Traversal

Title source: rule

Description

The Weave server API allows remote users to fetch files from a specific directory, but due to a lack of input validation, it is possible to traverse and leak arbitrary files remotely. In various common scenarios, this allows a low-privileged user to assume the role of the server admin.

Nuclei Templates (1)

W&B Weave Server - Remote Arbitrary File Leak

HIGHVERIFIEDby iamnoooob,rootxharsh,pdresearch

References (2)

[Various Sources] https://research.jfrog.com/vulnerabilities/wandb-weave-server-remote-arbitrary-file-leak-jfsa-2024-001039248/

[Issue Tracking] https://github.com/wandb/weave/pull/1657

Scores

CVSS v3 8.8

EPSS 0.8770

EPSS Percentile 99.5%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Details

CWE

CWE-20 CWE-22

Status published

Products (1)

pypi/weave 0 - 0.50.8PyPI

Published Jul 31, 2024

Tracked Since Feb 18, 2026