CVE-2024-40624 (GCVE-0-2024-40624)
Vulnerability from cvelistv5 – Published: 2024-07-15 19:28 – Updated: 2024-08-02 04:33
VLAI?
Title
Deserialization of untrusted data in torrentpier/torrentpier
Summary
TorrentPier is an open source BitTorrent Public/Private tracker engine, written in php. In `torrentpier/library/includes/functions.php`, `get_tracks()` uses the unsafe native PHP serialization format to deserialize user-controlled cookies. One can use phpggc and the chain Guzzle/FW1 to write PHP code to an arbitrary file, and execute commands on the system. For instance, the cookie bb_t will be deserialized when browsing to viewforum.php. This issue has been addressed in commit `ed37e6e52` which is expected to be included in release version 2.4.4. Users are advised to upgrade as soon as the new release is available. There are no known workarounds for this vulnerability.
Severity ?
9.8 (Critical)
CWE
- CWE-502 - Deserialization of Untrusted Data
Assigner
References
| URL | Tags | ||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| torrentpier | torrentpier |
Affected:
< 2.4.4
|
{
"containers": {
"adp": [
{
"affected": [
{
"cpes": [
"cpe:2.3:a:torrentpier:torrentpier:*:*:*:*:*:*:*:*"
],
"defaultStatus": "unknown",
"product": "torrentpier",
"vendor": "torrentpier",
"versions": [
{
"lessThan": "2.4.4",
"status": "affected",
"version": "0",
"versionType": "custom"
}
]
}
],
"metrics": [
{
"other": {
"content": {
"id": "CVE-2024-40624",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-07-15T20:17:52.971854Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-07-16T14:37:32.645Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
},
{
"providerMetadata": {
"dateUpdated": "2024-08-02T04:33:11.841Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"name": "https://github.com/torrentpier/torrentpier/security/advisories/GHSA-fg86-4c2r-7wxw",
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://github.com/torrentpier/torrentpier/security/advisories/GHSA-fg86-4c2r-7wxw"
},
{
"name": "https://github.com/torrentpier/torrentpier/commit/ed37e6e522f345f2b46147c6f53c1ab6dec1db9e",
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/torrentpier/torrentpier/commit/ed37e6e522f345f2b46147c6f53c1ab6dec1db9e"
},
{
"name": "https://github.com/torrentpier/torrentpier/blob/84f6c9f4a081d9ffff4c233098758280304bf50f/library/includes/functions.php#L41-L60",
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/torrentpier/torrentpier/blob/84f6c9f4a081d9ffff4c233098758280304bf50f/library/includes/functions.php#L41-L60"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "torrentpier",
"vendor": "torrentpier",
"versions": [
{
"status": "affected",
"version": "\u003c 2.4.4"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "TorrentPier is an open source BitTorrent Public/Private tracker engine, written in php. In `torrentpier/library/includes/functions.php`, `get_tracks()` uses the unsafe native PHP serialization format to deserialize user-controlled cookies. One can use phpggc and the chain Guzzle/FW1 to write PHP code to an arbitrary file, and execute commands on the system. For instance, the cookie bb_t will be deserialized when browsing to viewforum.php. This issue has been addressed in commit `ed37e6e52` which is expected to be included in release version 2.4.4. Users are advised to upgrade as soon as the new release is available. There are no known workarounds for this vulnerability."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 9.8,
"baseSeverity": "CRITICAL",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-502",
"description": "CWE-502: Deserialization of Untrusted Data",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-07-15T19:28:35.905Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/torrentpier/torrentpier/security/advisories/GHSA-fg86-4c2r-7wxw",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/torrentpier/torrentpier/security/advisories/GHSA-fg86-4c2r-7wxw"
},
{
"name": "https://github.com/torrentpier/torrentpier/commit/ed37e6e522f345f2b46147c6f53c1ab6dec1db9e",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/torrentpier/torrentpier/commit/ed37e6e522f345f2b46147c6f53c1ab6dec1db9e"
},
{
"name": "https://github.com/torrentpier/torrentpier/blob/84f6c9f4a081d9ffff4c233098758280304bf50f/library/includes/functions.php#L41-L60",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/torrentpier/torrentpier/blob/84f6c9f4a081d9ffff4c233098758280304bf50f/library/includes/functions.php#L41-L60"
}
],
"source": {
"advisory": "GHSA-fg86-4c2r-7wxw",
"discovery": "UNKNOWN"
},
"title": "Deserialization of untrusted data in torrentpier/torrentpier"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2024-40624",
"datePublished": "2024-07-15T19:28:35.905Z",
"dateReserved": "2024-07-08T16:13:15.509Z",
"dateUpdated": "2024-08-02T04:33:11.841Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1",
"vulnerability-lookup:meta": {
"fkie_nvd": {
"descriptions": "[{\"lang\": \"en\", \"value\": \"TorrentPier is an open source BitTorrent Public/Private tracker engine, written in php. In `torrentpier/library/includes/functions.php`, `get_tracks()` uses the unsafe native PHP serialization format to deserialize user-controlled cookies. One can use phpggc and the chain Guzzle/FW1 to write PHP code to an arbitrary file, and execute commands on the system. For instance, the cookie bb_t will be deserialized when browsing to viewforum.php. This issue has been addressed in commit `ed37e6e52` which is expected to be included in release version 2.4.4. Users are advised to upgrade as soon as the new release is available. There are no known workarounds for this vulnerability.\"}, {\"lang\": \"es\", \"value\": \"TorrentPier es un motor de seguimiento p\\u00fablico/privado de BitTorrent de c\\u00f3digo abierto, escrito en php. En `torrentpier/library/includes/functions.php`, `get_tracks()` utiliza el formato de serializaci\\u00f3n PHP nativo no seguro para deserializar las cookies controladas por el usuario. Se pueden usar phpggc y la cadena Guzzle/FW1 para escribir c\\u00f3digo PHP en un archivo arbitrario y ejecutar comandos en el sistema. Por ejemplo, la cookie bb_t se deserializar\\u00e1 al navegar por viewforum.php. Este problema se solucion\\u00f3 en el commit `ed37e6e52`, que se espera que se incluya en la versi\\u00f3n 2.4.4. Se recomienda a los usuarios que actualicen tan pronto como est\\u00e9 disponible la nueva versi\\u00f3n. No se conocen workarounds para esta vulnerabilidad.\"}]",
"id": "CVE-2024-40624",
"lastModified": "2024-11-21T09:31:23.177",
"metrics": "{\"cvssMetricV31\": [{\"source\": \"security-advisories@github.com\", \"type\": \"Secondary\", \"cvssData\": {\"version\": \"3.1\", \"vectorString\": \"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H\", \"baseScore\": 9.8, \"baseSeverity\": \"CRITICAL\", \"attackVector\": \"NETWORK\", \"attackComplexity\": \"LOW\", \"privilegesRequired\": \"NONE\", \"userInteraction\": \"NONE\", \"scope\": \"UNCHANGED\", \"confidentialityImpact\": \"HIGH\", \"integrityImpact\": \"HIGH\", \"availabilityImpact\": \"HIGH\"}, \"exploitabilityScore\": 3.9, \"impactScore\": 5.9}]}",
"published": "2024-07-15T20:15:04.810",
"references": "[{\"url\": \"https://github.com/torrentpier/torrentpier/blob/84f6c9f4a081d9ffff4c233098758280304bf50f/library/includes/functions.php#L41-L60\", \"source\": \"security-advisories@github.com\"}, {\"url\": \"https://github.com/torrentpier/torrentpier/commit/ed37e6e522f345f2b46147c6f53c1ab6dec1db9e\", \"source\": \"security-advisories@github.com\"}, {\"url\": \"https://github.com/torrentpier/torrentpier/security/advisories/GHSA-fg86-4c2r-7wxw\", \"source\": \"security-advisories@github.com\"}, {\"url\": \"https://github.com/torrentpier/torrentpier/blob/84f6c9f4a081d9ffff4c233098758280304bf50f/library/includes/functions.php#L41-L60\", \"source\": \"af854a3a-2127-422b-91ae-364da2661108\"}, {\"url\": \"https://github.com/torrentpier/torrentpier/commit/ed37e6e522f345f2b46147c6f53c1ab6dec1db9e\", \"source\": \"af854a3a-2127-422b-91ae-364da2661108\"}, {\"url\": \"https://github.com/torrentpier/torrentpier/security/advisories/GHSA-fg86-4c2r-7wxw\", \"source\": \"af854a3a-2127-422b-91ae-364da2661108\"}]",
"sourceIdentifier": "security-advisories@github.com",
"vulnStatus": "Awaiting Analysis",
"weaknesses": "[{\"source\": \"security-advisories@github.com\", \"type\": \"Secondary\", \"description\": [{\"lang\": \"en\", \"value\": \"CWE-502\"}]}]"
},
"nvd": "{\"cve\":{\"id\":\"CVE-2024-40624\",\"sourceIdentifier\":\"security-advisories@github.com\",\"published\":\"2024-07-15T20:15:04.810\",\"lastModified\":\"2024-11-21T09:31:23.177\",\"vulnStatus\":\"Awaiting Analysis\",\"cveTags\":[],\"descriptions\":[{\"lang\":\"en\",\"value\":\"TorrentPier is an open source BitTorrent Public/Private tracker engine, written in php. In `torrentpier/library/includes/functions.php`, `get_tracks()` uses the unsafe native PHP serialization format to deserialize user-controlled cookies. One can use phpggc and the chain Guzzle/FW1 to write PHP code to an arbitrary file, and execute commands on the system. For instance, the cookie bb_t will be deserialized when browsing to viewforum.php. This issue has been addressed in commit `ed37e6e52` which is expected to be included in release version 2.4.4. Users are advised to upgrade as soon as the new release is available. There are no known workarounds for this vulnerability.\"},{\"lang\":\"es\",\"value\":\"TorrentPier es un motor de seguimiento p\u00fablico/privado de BitTorrent de c\u00f3digo abierto, escrito en php. En `torrentpier/library/includes/functions.php`, `get_tracks()` utiliza el formato de serializaci\u00f3n PHP nativo no seguro para deserializar las cookies controladas por el usuario. Se pueden usar phpggc y la cadena Guzzle/FW1 para escribir c\u00f3digo PHP en un archivo arbitrario y ejecutar comandos en el sistema. Por ejemplo, la cookie bb_t se deserializar\u00e1 al navegar por viewforum.php. Este problema se solucion\u00f3 en el commit `ed37e6e52`, que se espera que se incluya en la versi\u00f3n 2.4.4. Se recomienda a los usuarios que actualicen tan pronto como est\u00e9 disponible la nueva versi\u00f3n. No se conocen workarounds para esta vulnerabilidad.\"}],\"metrics\":{\"cvssMetricV31\":[{\"source\":\"security-advisories@github.com\",\"type\":\"Secondary\",\"cvssData\":{\"version\":\"3.1\",\"vectorString\":\"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H\",\"baseScore\":9.8,\"baseSeverity\":\"CRITICAL\",\"attackVector\":\"NETWORK\",\"attackComplexity\":\"LOW\",\"privilegesRequired\":\"NONE\",\"userInteraction\":\"NONE\",\"scope\":\"UNCHANGED\",\"confidentialityImpact\":\"HIGH\",\"integrityImpact\":\"HIGH\",\"availabilityImpact\":\"HIGH\"},\"exploitabilityScore\":3.9,\"impactScore\":5.9}]},\"weaknesses\":[{\"source\":\"security-advisories@github.com\",\"type\":\"Secondary\",\"description\":[{\"lang\":\"en\",\"value\":\"CWE-502\"}]}],\"references\":[{\"url\":\"https://github.com/torrentpier/torrentpier/blob/84f6c9f4a081d9ffff4c233098758280304bf50f/library/includes/functions.php#L41-L60\",\"source\":\"security-advisories@github.com\"},{\"url\":\"https://github.com/torrentpier/torrentpier/commit/ed37e6e522f345f2b46147c6f53c1ab6dec1db9e\",\"source\":\"security-advisories@github.com\"},{\"url\":\"https://github.com/torrentpier/torrentpier/security/advisories/GHSA-fg86-4c2r-7wxw\",\"source\":\"security-advisories@github.com\"},{\"url\":\"https://github.com/torrentpier/torrentpier/blob/84f6c9f4a081d9ffff4c233098758280304bf50f/library/includes/functions.php#L41-L60\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\"},{\"url\":\"https://github.com/torrentpier/torrentpier/commit/ed37e6e522f345f2b46147c6f53c1ab6dec1db9e\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\"},{\"url\":\"https://github.com/torrentpier/torrentpier/security/advisories/GHSA-fg86-4c2r-7wxw\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\"}]}}",
"vulnrichment": {
"containers": "{\"adp\": [{\"title\": \"CISA ADP Vulnrichment\", \"metrics\": [{\"other\": {\"type\": \"ssvc\", \"content\": {\"id\": \"CVE-2024-40624\", \"role\": \"CISA Coordinator\", \"options\": [{\"Exploitation\": \"poc\"}, {\"Automatable\": \"yes\"}, {\"Technical Impact\": \"total\"}], \"version\": \"2.0.3\", \"timestamp\": \"2024-07-15T20:17:52.971854Z\"}}}], \"affected\": [{\"cpes\": [\"cpe:2.3:a:torrentpier:torrentpier:*:*:*:*:*:*:*:*\"], \"vendor\": \"torrentpier\", \"product\": \"torrentpier\", \"versions\": [{\"status\": \"affected\", \"version\": \"0\", \"lessThan\": \"2.4.4\", \"versionType\": \"custom\"}], \"defaultStatus\": \"unknown\"}], \"providerMetadata\": {\"orgId\": \"134c704f-9b21-4f2e-91b3-4a467353bcc0\", \"shortName\": \"CISA-ADP\", \"dateUpdated\": \"2024-07-15T20:19:56.536Z\"}}], \"cna\": {\"title\": \"Deserialization of untrusted data in torrentpier/torrentpier\", \"source\": {\"advisory\": \"GHSA-fg86-4c2r-7wxw\", \"discovery\": \"UNKNOWN\"}, \"metrics\": [{\"cvssV3_1\": {\"scope\": \"UNCHANGED\", \"version\": \"3.1\", \"baseScore\": 9.8, \"attackVector\": \"NETWORK\", \"baseSeverity\": \"CRITICAL\", \"vectorString\": \"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H\", \"integrityImpact\": \"HIGH\", \"userInteraction\": \"NONE\", \"attackComplexity\": \"LOW\", \"availabilityImpact\": \"HIGH\", \"privilegesRequired\": \"NONE\", \"confidentialityImpact\": \"HIGH\"}}], \"affected\": [{\"vendor\": \"torrentpier\", \"product\": \"torrentpier\", \"versions\": [{\"status\": \"affected\", \"version\": \"\u003c 2.4.4\"}]}], \"references\": [{\"url\": \"https://github.com/torrentpier/torrentpier/security/advisories/GHSA-fg86-4c2r-7wxw\", \"name\": \"https://github.com/torrentpier/torrentpier/security/advisories/GHSA-fg86-4c2r-7wxw\", \"tags\": [\"x_refsource_CONFIRM\"]}, {\"url\": \"https://github.com/torrentpier/torrentpier/commit/ed37e6e522f345f2b46147c6f53c1ab6dec1db9e\", \"name\": \"https://github.com/torrentpier/torrentpier/commit/ed37e6e522f345f2b46147c6f53c1ab6dec1db9e\", \"tags\": [\"x_refsource_MISC\"]}, {\"url\": \"https://github.com/torrentpier/torrentpier/blob/84f6c9f4a081d9ffff4c233098758280304bf50f/library/includes/functions.php#L41-L60\", \"name\": \"https://github.com/torrentpier/torrentpier/blob/84f6c9f4a081d9ffff4c233098758280304bf50f/library/includes/functions.php#L41-L60\", \"tags\": [\"x_refsource_MISC\"]}], \"descriptions\": [{\"lang\": \"en\", \"value\": \"TorrentPier is an open source BitTorrent Public/Private tracker engine, written in php. In `torrentpier/library/includes/functions.php`, `get_tracks()` uses the unsafe native PHP serialization format to deserialize user-controlled cookies. One can use phpggc and the chain Guzzle/FW1 to write PHP code to an arbitrary file, and execute commands on the system. For instance, the cookie bb_t will be deserialized when browsing to viewforum.php. This issue has been addressed in commit `ed37e6e52` which is expected to be included in release version 2.4.4. Users are advised to upgrade as soon as the new release is available. There are no known workarounds for this vulnerability.\"}], \"problemTypes\": [{\"descriptions\": [{\"lang\": \"en\", \"type\": \"CWE\", \"cweId\": \"CWE-502\", \"description\": \"CWE-502: Deserialization of Untrusted Data\"}]}], \"providerMetadata\": {\"orgId\": \"a0819718-46f1-4df5-94e2-005712e83aaa\", \"shortName\": \"GitHub_M\", \"dateUpdated\": \"2024-07-15T19:28:35.905Z\"}}}",
"cveMetadata": "{\"cveId\": \"CVE-2024-40624\", \"state\": \"PUBLISHED\", \"dateUpdated\": \"2024-07-16T14:37:32.645Z\", \"dateReserved\": \"2024-07-08T16:13:15.509Z\", \"assignerOrgId\": \"a0819718-46f1-4df5-94e2-005712e83aaa\", \"datePublished\": \"2024-07-15T19:28:35.905Z\", \"assignerShortName\": \"GitHub_M\"}",
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
}
}
Loading…
Loading…
Sightings
| Author | Source | Type | Date |
|---|
Nomenclature
- Seen: The vulnerability was mentioned, discussed, or observed by the user.
- Confirmed: The vulnerability has been validated from an analyst's perspective.
- Published Proof of Concept: A public proof of concept is available for this vulnerability.
- Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
- Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
- Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
- Not confirmed: The user expressed doubt about the validity of the vulnerability.
- Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.
Loading…
Loading…