Exploit
CVE-2024-24809
Path Traversal: 'dir/../../filename' (CWE-27)
Published: Apr 10, 2024 / Updated: 7mo ago

010

CVSS 8.5EPSS 0.04%High

CVE info copied to clipboard

Summary

Traccar, an open source GPS tracking system, contains a vulnerability in versions prior to 6.0 that allows path traversal and unrestricted upload of files with dangerous types. The system allows registration by default, enabling attackers to acquire ordinary user permissions and exploit this vulnerability to upload files with the prefix `device.` under any folder.

Impact

This vulnerability can be exploited for phishing attacks, cross-site scripting (XSS) attacks, and potentially executing arbitrary commands on the server. The vulnerability has a high impact on integrity, low impact on availability, and no direct impact on confidentiality. The attack vector is network-based, with low attack complexity and requiring low privileges, no user interaction, and has a changed scope. Multiple proof-of-concept exploits are available on GitHub, increasing the likelihood of exploitation.

Exploitation

Multiple proof-of-concept exploits are available on github.com, github.com. Its exploitation has been reported by various sources, including rapid7.com.

Patch

A patch is available in Traccar version 6.0. Organizations using versions prior to 6.0 should prioritize upgrading to this latest version to address the vulnerability.

Mitigation

1. Upgrade Traccar to version 6.0 or later immediately. 2. If immediate upgrading is not possible, implement strict access controls and monitor file uploads closely. 3. Disable user registration if not necessary, or implement additional verification steps for new accounts. 4. Implement strong input validation and sanitization for all user-supplied data, especially file uploads. 5. Use a Web Application Firewall (WAF) to help detect and block potential exploitation attempts. 6. Regularly audit and monitor server logs for any suspicious activities or unauthorized file uploads.

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:N/I:H/A:L

Timeline

CVE Assignment

NVD published the first details for CVE-2024-24809

Apr 10, 2024 at 3:16 PM

CVSS

A CVSS base score of 8.5 has been assigned.

Apr 10, 2024 at 3:20 PM / nvd

First Article

Feedly found the first article mentioning CVE-2024-24809. See article

Apr 10, 2024 at 3:24 PM / National Vulnerability Database

EPSS

EPSS Score was set to: 0.04% (Percentile: 7.9%)

Apr 11, 2024 at 9:54 AM

Threat Intelligence Report

CVE-2024-24809 is a critical path traversal vulnerability in Traccar 5 that allows unauthenticated attackers to upload files with arbitrary content to the file system. This vulnerability has the potential for remote code execution and could be exploited by malicious actors if guest registration is enabled. Mitigations include disabling guest registration and applying patches provided by Traccar to address the issue. See article

Aug 23, 2024 at 1:23 PM

CVSS Estimate

Feedly estimated the CVSS score as MEDIUM

Sep 3, 2024 at 1:44 PM

Proof of Concept (PoC) Released

A proof of concept exploit has been released

Sep 24, 2024 at 10:10 AM

CVSS Estimate

Feedly estimated the CVSS score as HIGH

Sep 24, 2024 at 10:15 AM

Exploitation in the Wild

Attacks in the wild have been reported by Metasploit - Rapid7 Cybersecurity Blog. See article