Crafatar serves Minecraft avatars based on the skin for use in external applications. Files outside of the `lib/public/` directory can be requested from the server. Instances running behind Cloudflare (including crafatar.com) are not affected. Instances using the Docker container as shown in the README are affected, but only files within the container can be read. By default, all of the files within the container can also be found in this repository and are not confidential. This vulnerability is patched in 2.1.5.
History

Thu, 15 May 2025 20:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'poc', 'Technical Impact': 'partial'}, 'version': '2.0.3'}


cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published: 2024-02-01T22:38:20.120Z

Updated: 2025-05-15T19:51:16.229Z

Reserved: 2024-01-29T20:51:26.010Z

Link: CVE-2024-24756

cve-icon Vulnrichment

Updated: 2024-08-01T23:28:12.239Z

cve-icon NVD

Status : Modified

Published: 2024-02-01T23:15:11.210

Modified: 2024-11-21T08:59:38.130

Link: CVE-2024-24756

cve-icon Redhat

No data.