CVE-2024-47823

Improper Input Validation (CWE-20)

Published: Oct 8, 2024 / Updated: 42d ago

010
CVSS 7.7EPSS 0.04%High
CVE info copied to clipboard

Summary

A vulnerability in Livewire, a full-stack framework for Laravel, allows for potential remote code execution (RCE) in versions prior to 3.5.2. The issue stems from improper validation of file extensions during file uploads. The system guesses the file extension based on the MIME type instead of validating the actual file extension from the file name. This allows an attacker to bypass validation by uploading a file with a valid MIME type (e.g., image/png) but with a ".php" file extension.

Impact

If exploited, this vulnerability could lead to remote code execution on the affected server. An attacker could potentially upload and execute malicious PHP code, leading to unauthorized access, data theft, or further system compromise. The impact is severe as it could give an attacker full control over the affected web application and possibly the underlying server.

Exploitation

There is no evidence that a public proof-of-concept exists. There is no evidence of proof of exploitation at the moment.

Patch

A patch is available. The vulnerability has been addressed in Livewire version 3.5.2. All users are advised to upgrade to this version or later.

Mitigation

1. Upgrade Livewire to version 3.5.2 or later immediately. 2. If immediate upgrade is not possible, implement additional file upload validation measures: - Validate file extensions explicitly, regardless of MIME type. - Implement a whitelist of allowed file extensions. - Store uploaded files in a non-public directory if possible. - Configure the webserver to not execute PHP files from upload directories. 3. Regularly audit and update file upload handling practices. 4. Monitor for any suspicious file uploads or unexpected PHP files in public directories.

CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

Timeline

Vendor Advisory

GitHub Advisories released a security advisory.

Oct 8, 2024 at 1:48 PM
CVE Assignment

NVD published the first details for CVE-2024-47823

Oct 8, 2024 at 6:15 PM
CVSS

A CVSS base score of 7.7 has been assigned.

Oct 8, 2024 at 6:21 PM / nvd
First Article

Feedly found the first article mentioning CVE-2024-47823. See article

Oct 8, 2024 at 6:27 PM / National Vulnerability Database
CVSS Estimate

Feedly estimated the CVSS score as HIGH

Oct 8, 2024 at 6:27 PM
EPSS

EPSS Score was set to: 0.04% (Percentile: 9.7%)

Oct 9, 2024 at 10:29 AM
CVSS

A CVSS base score of 7.7 has been assigned.

Oct 10, 2024 at 12:20 AM / nvd
Static CVE Timeline Graph

Patches

Github Advisory
+null more

Links to Mitre Att&cks

T1562.003: Impair Command History Logging
+null more

Attack Patterns

CAPEC-10: Buffer Overflow via Environment Variables
+null more

Vendor Advisory

[GHSA-f3cx-396f-7jqp] Livewire Remote Code Execution on File Uploads
In the following scenario, an attacker could upload a file called shell.php with an image/png MIME type and execute it on the remote server. An attacker can therefore bypass the validation by uploading a file with a valid MIME type (e.g., image/png) and a “.php” file extension.

News

Livewire Remote Code Execution on File Uploads
In livewire/livewire prior to v2.12.7 and v3.5.2, the file extension of an uploaded file is guessed based on the MIME type. As a result, the actual file extension from the file name is not validated. An attacker can therefore bypass the validation by uploading a file with a valid MIME type (e.g., image/png) and a “.php” file extension. If the following criteria are met, the attacker can carry out an …
[CERT-daily] Tageszusammenfassung - 11.10.2024
https://www.bleepingcomputer.com/news/security/akira-and-fog-ransomware-now-exploiting-critical-veeam-rce-flaw/ Ransomware gangs now exploit a critical security vulnerability that lets attackers gain remote code execution (RCE) on vulnerable Veeam Backup & Replication (VBR) servers.
Tageszusammenfassung - 11.10.2024
Ransomware gangs now exploit a critical security vulnerability that lets attackers gain remote code execution (RCE) on vulnerable Veeam Backup & Replication (VBR) servers. New Critical GitLab Vulnerability Could Allow Arbitrary CI/CD Pipeline Execution
Exploiting Livewire: CVE-2024-47823 Puts Laravel Apps at Risk
Summary: A critical vulnerability, CVE-2024-47823, has been discovered in Livewire, a Laravel framework, allowing attackers to exploit file uploads for Remote Code Execution (RCE). The flaw arises from improper validation of file extensions in versions prior to 3.5.2, enabling malicious file uploads that can be executed by the server.
Livewire Security Update Advisory (CVE-2024-47823)
If you are using an affected version, Please follow the instructions on the Referenced Sites to update to the latest Vulnerability Patches version. The following product-specific Vulnerability Patches have been made available in the latest update.
See 9 more articles and social media posts

CVSS V3.1

Unknown

Categories

Be the first to know about critical vulnerabilities

Collect, analyze, and share vulnerability reports faster using AI