CVE-2024-43395

CraftOS-PC 2's improperly sanitizied paths cause filesystem escape (Windows)

Description

CraftOS-PC 2 is a rewrite of the desktop port of CraftOS from the popular Minecraft mod ComputerCraft using C++ and a modified version of PUC Lua, as well as SDL for drawing. Prior to version 2.8.3, users of CraftOS-PC 2 on Windows can escape the computer folder and access files anywhere without permission or notice by obfuscating `..`s to bypass the internal check preventing parent directory traversal. Version 2.8.3 contains a patch for this issue.

Category

8.2
CVSS
Severity: High
CVSS 3.1 •
EPSS 0.09%
Affected: MCJack123 craftos2
Published at:
Updated at:

References

Link Tags
https://github.com/MCJack123/craftos2/security/advisories/GHSA-hr3w-wc83-6923
https://github.com/MCJack123/craftos2/commit/f7a88b905560df4366fb69f09b70f05984e05ad3

Frequently Asked Questions

What is the severity of CVE-2024-43395?
CVE-2024-43395 has been scored as a high severity vulnerability.
How to fix CVE-2024-43395?
To fix CVE-2024-43395, make sure you are using an up-to-date version of the affected component(s) by checking the vendor release notes. As for now, there are no other specific guidelines available.
Is CVE-2024-43395 being actively exploited in the wild?
As for now, there are no information to confirm that CVE-2024-43395 is being actively exploited. According to its EPSS score, there is a ~0% probability that this vulnerability will be exploited by malicious actors in the next 30 days.
What software or system is affected by CVE-2024-43395?
CVE-2024-43395 affects MCJack123 craftos2.
This platform uses data from the NIST NVD, MITRE CVE, MITRE CWE, First.org and CISA KEV but is not endorsed or certified by these entities. CVE is a registred trademark of the MITRE Corporation and the authoritative source of CVE content is MITRE's CVE web site. CWE is a registred trademark of the MITRE Corporation and the authoritative source of CWE content is MITRE's CWE web site.
© 2025 Under My Watch. All Rights Reserved.