CVE-2024-48514

Improper Control of Generation of Code ('Code Injection') (CWE-94)

Published: Oct 24, 2024 / Updated: 26d ago

010
No CVSS yetEPSS 0.04%
CVE info copied to clipboard

Summary

php-heic-to-jpg version 1.0.5 and below is vulnerable to remote code execution. The vulnerability allows an attacker to execute code on the remote server via the file name when uploading heic images. This compromises the confidentiality, integrity, and availability (CIA) of the affected system.

Impact

This vulnerability could allow an attacker to execute arbitrary code on the server, potentially leading to complete system compromise. The attacker could: 1. Gain unauthorized access to sensitive data stored on the server. 2. Modify or delete critical files and data. 3. Use the compromised server as a launching point for further attacks on the network. 4. Install malware or backdoors for persistent access. 5. Disrupt services by manipulating server resources. The high severity of this vulnerability suggests it could have significant operational and security impacts if exploited.

Exploitation

There is no evidence that a public proof-of-concept exists. There is no evidence of proof of exploitation at the moment.

Patch

A patch is available. The vulnerability was addressed on October 24, 2024, as indicated by the patch details in the Github Advisory.

Mitigation

1. Update php-heic-to-jpg to a version newer than 1.0.5 immediately. 2. If immediate updating is not possible, disable or restrict the ability to upload heic images until the update can be applied. 3. Implement strict input validation for file names, rejecting any that contain potentially malicious code. 4. Use the principle of least privilege for the application, limiting its ability to execute system commands. 5. Monitor system logs for any suspicious activities related to image uploads or unexpected code execution. 6. Consider implementing a Web Application Firewall (WAF) to help detect and block potential exploitation attempts.

Timeline

Detection in Vulnerability Scanners

Detection for the vulnerability has been added to Qualys (5001327)

Oct 24, 2024 at 7:53 AM
CVE Assignment

NVD published the first details for CVE-2024-48514

Oct 24, 2024 at 6:15 PM
First Article

Feedly found the first article mentioning CVE-2024-48514. See article

Oct 24, 2024 at 6:22 PM / Vulners.com RSS Feed
CVSS Estimate

Feedly estimated the CVSS score as HIGH

Oct 24, 2024 at 6:22 PM
Vendor Advisory

GitHub Advisories released a security advisory.

Oct 24, 2024 at 6:30 PM
Threat Intelligence Report

CVE-2024-48514 is a critical vulnerability in php-heic-to-jpg versions 1.0.5 and below, allowing remote code execution through malicious file names during heic image uploads, with a high CVSS score estimated. Currently, there is no evidence of exploitation in the wild or public proof-of-concept exploits, but a patch has been released, and mitigations such as input validation and restricting file uploads are recommended. Detection for this vulnerability has been integrated into Qualys, and a security advisory is available on GitHub. See article

Oct 25, 2024 at 5:19 AM
EPSS

EPSS Score was set to: 0.04% (Percentile: 9.8%)

Oct 25, 2024 at 10:07 AM
Static CVE Timeline Graph

Affected Systems

Php/php
+null more

Patches

Github Advisory
+null more

Attack Patterns

CAPEC-242: Code Injection
+null more

Vendor Advisory

[GHSA-g8v9-c8m3-942v] Remote code execution in php-heic-to-jpg
GitHub Security Advisory: GHSA-g8v9-c8m3-942v Release Date: 2024-10-24 Update Date: 2024-10-24 Severity: High CVE-2024-48514 Package Information Package: maestroerror/php-heic-to-jpg Affected Versions: Patched Versions: 1.0.5 Description php-heic-to-jpg References https://nvd.nist.gov/vuln/detail/CVE-2024-48514 https://github.com/MaestroError/php-heic-to-jpg https://github.com/marcoris/CVEs/tree/master/CVE-2024-48514 MaestroError/php-heic-to-jpg#34

References

CVE-2024-48514 - Exploits & Severity - Feedly
The vulnerability allows an attacker to execute code on the remote server via the file name when uploading heic images. This vulnerability could allow an attacker to execute arbitrary code on the server, potentially leading to complete system compromise.

News

CVE-2024-48514 - Exploits & Severity - Feedly
The vulnerability allows an attacker to execute code on the remote server via the file name when uploading heic images. This vulnerability could allow an attacker to execute arbitrary code on the server, potentially leading to complete system compromise.
CVE-2024-48514
Critical Severity Description php-heic-to-jpg Read more at https://www.tenable.com/cve/CVE-2024-48514
NA - CVE-2024-48514 - php-heic-to-jpg
php-heic-to-jpg
[GHSA-g8v9-c8m3-942v] Remote code execution in php-heic-to-jpg
GitHub Security Advisory: GHSA-g8v9-c8m3-942v Release Date: 2024-10-24 Update Date: 2024-10-24 Severity: High CVE-2024-48514 Package Information Package: maestroerror/php-heic-to-jpg Affected Versions: Patched Versions: 1.0.5 Description php-heic-to-jpg References https://nvd.nist.gov/vuln/detail/CVE-2024-48514 https://github.com/MaestroError/php-heic-to-jpg https://github.com/marcoris/CVEs/tree/master/CVE-2024-48514 MaestroError/php-heic-to-jpg#34
CVE-2024-48514 | php-heic-to-jpg up to 1.0.5 HEIC Image unrestricted upload
A vulnerability has been found in php-heic-to-jpg up to 1.0.5 and classified as critical . Affected by this vulnerability is an unknown functionality of the component HEIC Image Handler . The manipulation leads to unrestricted upload. This vulnerability is known as CVE-2024-48514 . The attack can be launched remotely. There is no exploit available.
See 5 more articles and social media posts

CVSS V3.1

Unknown

Categories

Be the first to know about critical vulnerabilities

Collect, analyze, and share vulnerability reports faster using AI