github - ghsa-37f5-2pjr-46xw

GHSA-37F5-2PJR-46XW

Vulnerability from github – Published: 2024-06-24 09:30 – Updated: 2024-06-24 09:30

Details

A security vulnerability has been identified in Bludit, allowing attackers with knowledge of the API token to upload arbitrary files through the File API which leads to arbitrary code execution on the server. This vulnerability arises from improper handling of file uploads, enabling malicious actors to upload and execute PHP files.

Show details on source website

JSON

To clipboard

{
  "affected": [],
  "aliases": [
    "CVE-2024-24550"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-434"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2024-06-24T07:15:13Z",
    "severity": null
  },
  "details": "A security vulnerability has been identified in Bludit, allowing attackers with knowledge of the API token to upload arbitrary files through the File API which leads to arbitrary code execution on the server. This vulnerability arises from improper handling of file uploads, enabling malicious actors to upload and execute PHP files.",
  "id": "GHSA-37f5-2pjr-46xw",
  "modified": "2024-06-24T09:30:52Z",
  "published": "2024-06-24T09:30:52Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-24550"
    },
    {
      "type": "WEB",
      "url": "https://www.redguard.ch/blog/2024/06/20/security-advisory-bludit"
    }
  ],
  "schema_version": "1.4.0",
  "severity": []
}

CVE-2024-24550 (GCVE-0-2024-24550)

Vulnerability from cvelistv5 – Published: 2024-06-24 07:05 – Updated: 2024-08-01 23:19

Summary

Severity ?

8.9 (High)


                        
                          CVSS:4.0/AV:N/AC:H/AT:P/PR:H/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H

CWE

CWE-77 - Improper Neutralization of Special Elements used in a Command ('Command Injection')
CWE-502 - Deserialization of Untrusted Data
CWE-434 - Unrestricted Upload of File with Dangerous Type

Assigner

NCSC.ch

References

URL

Tags

https://www.redguard.ch/blog/2024/06/20/security-…

Impacted products

	Vendor	Product	Version
	Bludit	Bludit	Affected: 3.14.0

Credits

Andreas Pfefferle, Redguard AG

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "affected": [
          {
            "cpes": [
              "cpe:2.3:a:bludit:bludit:3.14.0:*:*:*:*:*:*:*"
            ],
            "defaultStatus": "unknown",
            "product": "bludit",
            "vendor": "bludit",
            "versions": [
              {
                "lessThanOrEqual": "3.15.0",
                "status": "affected",
                "version": "3.14.0",
                "versionType": "custom"
              }
            ]
          }
        ],
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2024-24550",
                "options": [
                  {
                    "Exploitation": "poc"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "total"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2024-06-24T13:31:57.251143Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2024-06-24T13:33:38.619Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      },
      {
        "providerMetadata": {
          "dateUpdated": "2024-08-01T23:19:52.559Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "tags": [
              "x_transferred"
            ],
            "url": "https://www.redguard.ch/blog/2024/06/20/security-advisory-bludit/"
          }
        ],
        "title": "CVE Program Container"
      }
    ],
    "cna": {
      "affected": [
        {
          "collectionURL": "https://www.bludit.com/",
          "defaultStatus": "unaffected",
          "packageName": "Bludit",
          "platforms": [
            "Linux",
            "Windows",
            "MacOS"
          ],
          "product": "Bludit",
          "programFiles": [
            "bl-plugins/api/plugin.php"
          ],
          "repo": "https://github.com/bludit/bludit/",
          "vendor": "Bludit",
          "versions": [
            {
              "status": "affected",
              "version": "3.14.0"
            }
          ]
        }
      ],
      "configurations": [
        {
          "lang": "en",
          "supportingMedia": [
            {
              "base64": false,
              "type": "text/html",
              "value": "- Admin must enable the API (API is disabled by default).\u003cbr\u003e- Attacker requires the knowledge of the API token\u003cbr\u003e- Authentication is not required to access the file upload directory.\u003cbr\u003e"
            }
          ],
          "value": "- Admin must enable the API (API is disabled by default).\n- Attacker requires the knowledge of the API token\n- Authentication is not required to access the file upload directory."
        }
      ],
      "credits": [
        {
          "lang": "en",
          "type": "finder",
          "value": "Andreas Pfefferle, Redguard AG"
        }
      ],
      "datePublic": "2024-06-20T16:00:00.000Z",
      "descriptions": [
        {
          "lang": "en",
          "supportingMedia": [
            {
              "base64": false,
              "type": "text/html",
              "value": "A security vulnerability has been identified in Bludit, allowing attackers with knowledge of the API token to upload arbitrary files through the File API which leads to arbitrary code execution on the server. This vulnerability arises from improper handling of file uploads, enabling malicious actors to upload and execute PHP files.\u003cbr\u003e"
            }
          ],
          "value": "A security vulnerability has been identified in Bludit, allowing attackers with knowledge of the API token to upload arbitrary files through the File API which leads to arbitrary code execution on the server. This vulnerability arises from improper handling of file uploads, enabling malicious actors to upload and execute PHP files."
        }
      ],
      "impacts": [
        {
          "capecId": "CAPEC-650",
          "descriptions": [
            {
              "lang": "en",
              "value": "CAPEC-650 Upload a Web Shell to a Web Server"
            }
          ]
        },
        {
          "capecId": "CAPEC-253",
          "descriptions": [
            {
              "lang": "en",
              "value": "CAPEC-253 Remote Code Inclusion"
            }
          ]
        },
        {
          "capecId": "CAPEC-242",
          "descriptions": [
            {
              "lang": "en",
              "value": "CAPEC-242 Code Injection"
            }
          ]
        },
        {
          "capecId": "CAPEC-175",
          "descriptions": [
            {
              "lang": "en",
              "value": "CAPEC-175 Code Inclusion"
            }
          ]
        }
      ],
      "metrics": [
        {
          "cvssV4_0": {
            "Automatable": "NOT_DEFINED",
            "Recovery": "NOT_DEFINED",
            "Safety": "NOT_DEFINED",
            "attackComplexity": "HIGH",
            "attackRequirements": "PRESENT",
            "attackVector": "NETWORK",
            "baseScore": 8.9,
            "baseSeverity": "HIGH",
            "privilegesRequired": "HIGH",
            "providerUrgency": "NOT_DEFINED",
            "subAvailabilityImpact": "HIGH",
            "subConfidentialityImpact": "HIGH",
            "subIntegrityImpact": "HIGH",
            "userInteraction": "NONE",
            "valueDensity": "NOT_DEFINED",
            "vectorString": "CVSS:4.0/AV:N/AC:H/AT:P/PR:H/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H",
            "version": "4.0",
            "vulnAvailabilityImpact": "HIGH",
            "vulnConfidentialityImpact": "HIGH",
            "vulnIntegrityImpact": "HIGH",
            "vulnerabilityResponseEffort": "NOT_DEFINED"
          },
          "format": "CVSS",
          "scenarios": [
            {
              "lang": "en",
              "value": "GENERAL"
            }
          ]
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-77",
              "description": "CWE-77 Improper Neutralization of Special Elements used in a Command (\u0027Command Injection\u0027)",
              "lang": "en",
              "type": "CWE"
            }
          ]
        },
        {
          "descriptions": [
            {
              "cweId": "CWE-502",
              "description": "CWE-502 Deserialization of Untrusted Data",
              "lang": "en",
              "type": "CWE"
            }
          ]
        },
        {
          "descriptions": [
            {
              "cweId": "CWE-434",
              "description": "CWE-434 Unrestricted Upload of File with Dangerous Type",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2024-06-24T07:05:50.655Z",
        "orgId": "455daabc-a392-441d-aa46-37d35189897c",
        "shortName": "NCSC.ch"
      },
      "references": [
        {
          "url": "https://www.redguard.ch/blog/2024/06/20/security-advisory-bludit/"
        }
      ],
      "solutions": [
        {
          "lang": "en",
          "supportingMedia": [
            {
              "base64": false,
              "type": "text/html",
              "value": "1. Remove file upload API: As the API POST request for uploading files is not documented, it can be assumed that it is a feature not actually needed by Bludit users. This is substantiated by the fact that users also cannot upload arbitrary files with the web application (AJAX).\u003cbr\u003e2. Use an allowlist: If the first suggestion is not feasible as it is an actively used feature of Bludit users, it is advised to restrict the possible upload file formats with an allowlist. Before storing the uploaded files in the intended directory, their file extension and mime type should be checked.\u003cbr\u003e3. Restrict upload storage: Users should only be allowed to store a certain amount of data on the file share (e.g. 10MB). \u003cbr\u003e4. If uploaded files should not be downloadable by everyone: Ensure that the temporary file directory is relocated outside of the web root to prevent unauthorized access.\u003cbr\u003e5. If uploaded files should be downloadable: Disable PHP in upload folder, e.g. with the following configuration in nginx:\u003cbr\u003e\u003cbr\u003e```\u003cbr\u003elocation /upload_folder {\u003cbr\u003e\u0026nbsp; \u0026nbsp; # Disable PHP execution\u003cbr\u003e\u0026nbsp; \u0026nbsp; location ~ \\.php$ {\u003cbr\u003e\u0026nbsp; \u0026nbsp; \u0026nbsp; \u0026nbsp; deny all;\u003cbr\u003e\u0026nbsp; \u0026nbsp; }\u003cbr\u003e\u003cbr\u003e\u0026nbsp; \u0026nbsp; # Allow other file types\u003cbr\u003e\u0026nbsp; \u0026nbsp; location /upload_folder/ {\u003cbr\u003e\u0026nbsp; \u0026nbsp; \u0026nbsp; \u0026nbsp; # Additional configurations for other file types if necessary\u003cbr\u003e\u0026nbsp; \u0026nbsp; }\u003cbr\u003e}\u003cbr\u003e```"
            }
          ],
          "value": "1. Remove file upload API: As the API POST request for uploading files is not documented, it can be assumed that it is a feature not actually needed by Bludit users. This is substantiated by the fact that users also cannot upload arbitrary files with the web application (AJAX).\n2. Use an allowlist: If the first suggestion is not feasible as it is an actively used feature of Bludit users, it is advised to restrict the possible upload file formats with an allowlist. Before storing the uploaded files in the intended directory, their file extension and mime type should be checked.\n3. Restrict upload storage: Users should only be allowed to store a certain amount of data on the file share (e.g. 10MB). \n4. If uploaded files should not be downloadable by everyone: Ensure that the temporary file directory is relocated outside of the web root to prevent unauthorized access.\n5. If uploaded files should be downloadable: Disable PHP in upload folder, e.g. with the following configuration in nginx:\n\n```\nlocation /upload_folder {\n\u00a0 \u00a0 # Disable PHP execution\n\u00a0 \u00a0 location ~ \\.php$ {\n\u00a0 \u00a0 \u00a0 \u00a0 deny all;\n\u00a0 \u00a0 }\n\n\u00a0 \u00a0 # Allow other file types\n\u00a0 \u00a0 location /upload_folder/ {\n\u00a0 \u00a0 \u00a0 \u00a0 # Additional configurations for other file types if necessary\n\u00a0 \u00a0 }\n}\n```"
        }
      ],
      "source": {
        "discovery": "UNKNOWN"
      },
      "title": "Bludit - Remote Code Execution (RCE) through File API",
      "x_generator": {
        "engine": "Vulnogram 0.2.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "455daabc-a392-441d-aa46-37d35189897c",
    "assignerShortName": "NCSC.ch",
    "cveId": "CVE-2024-24550",
    "datePublished": "2024-06-24T07:05:50.655Z",
    "dateReserved": "2024-01-25T14:02:00.526Z",
    "dateUpdated": "2024-08-01T23:19:52.559Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1"
}

Sightings

Author	Source	Type	Date

Nomenclature

Seen: The vulnerability was mentioned, discussed, or observed by the user.
Confirmed: The vulnerability has been validated from an analyst's perspective.
Published Proof of Concept: A public proof of concept is available for this vulnerability.
Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
Not confirmed: The user expressed doubt about the validity of the vulnerability.
Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.

Detection rules are retrieved from Rulezet.

Action not permitted

GHSA-37F5-2PJR-46XW

CVE-2024-24550 (GCVE-0-2024-24550)

Tags

Sightings

Nomenclature