CVE-2024-33880 in Virto Bulk File Download for SharePoint 2019info

Summary

by MITRE • 06/24/2024

An issue was discovered in VirtoSoftware Virto Bulk File Download 5.5.44 for SharePoint 2019. It discloses full pathnames via Virto.SharePoint.FileDownloader/Api/Download.ashx?action=archive.

Be aware that VulDB is the high quality source for vulnerability data.

Analysis

by VulDB Data Team • 06/14/2025

The vulnerability identified as CVE-2024-33880 affects VirtoSoftware Virto Bulk File Download version 5.5.44 specifically within SharePoint 2019 environments. This issue represents a path disclosure vulnerability that occurs through the Virto.SharePoint.FileDownloader/Api/Download.ashx endpoint when the action parameter is set to archive. The flaw allows unauthorized attackers to obtain sensitive directory path information from the server, which can serve as a critical piece of intelligence for further exploitation attempts.

This vulnerability falls under the category of information disclosure flaws that can be classified as CWE-200 Information Exposure. The technical implementation appears to inadequately sanitize or handle error responses within the file download functionality, resulting in the exposure of absolute file paths from the server filesystem. When the archive action is invoked through the download endpoint, the application fails to properly mask or obscure the underlying filesystem structure, thereby revealing directory paths that should remain confidential to prevent attackers from mapping the server environment.

The operational impact of this vulnerability extends beyond simple information exposure as it provides attackers with critical reconnaissance data that can be leveraged for more sophisticated attacks. Path disclosure vulnerabilities can enable attackers to understand the server architecture, potentially leading to directory traversal attacks, local file inclusion exploits, or other filesystem-based vulnerabilities. The exposed paths may reveal sensitive information about the application's deployment structure, including installation directories, configuration file locations, and potentially even database connection strings or other sensitive configuration data that might be stored in predictable locations.

From an adversary perspective, this vulnerability aligns with ATT&CK technique T1083 (File and Directory Discovery) and T1213 (Data from Information Repositories) as it provides the initial reconnaissance data needed to map the target environment. The information obtained through this path disclosure can be used to craft more targeted attacks against the SharePoint environment, potentially enabling attackers to exploit other vulnerabilities that might exist in the system's configuration or deployment structure. This makes the vulnerability particularly dangerous as it serves as a foundation for subsequent attack phases.

The recommended mitigations for this vulnerability include implementing proper input validation and error handling within the Virto.SharePoint.FileDownloader/Api/Download.ashx endpoint to prevent path information from being exposed in error responses. Organizations should ensure that all error messages and response data are sanitized to remove any references to filesystem paths or internal server structures. Additionally, implementing proper access controls and authentication checks for the download endpoint can prevent unauthorized access to the functionality altogether. The vendor should release a patch that addresses the path disclosure issue by properly handling error responses and ensuring that no sensitive path information is returned to client requests. Regular security assessments and code reviews should be conducted to identify similar vulnerabilities in other endpoints and prevent future occurrences of information disclosure flaws in the application's architecture.

Reservation

04/28/2024

Disclosure

06/24/2024

Moderation

accepted

CPE

ready

EPSS

0.00335

KEV

no

Activities

very low

Sources

Might our Artificial Intelligence support you?

Check our Alexa App!