CVE-2024-9280
Unrestricted Upload of File with Dangerous Type (CWE-434)
Summary
A critical vulnerability has been discovered in kalvinGit kvf-admin, affecting versions up to the commit f12a94dc1ebb7d1c51ee978a85e4c7ed75c620ff. The vulnerability is located in the fileUpload function of the FileUploadKit.java file. It allows for unrestricted upload of files, which can be exploited remotely without requiring user interaction or special privileges.
Impact
This vulnerability could have severe consequences. An attacker can exploit it to upload malicious files to the system, potentially leading to remote code execution, data theft, or system compromise. The CVSS v3.1 base score of 9.8 (Critical) indicates that successful exploitation could result in a total loss of confidentiality, integrity, and availability of the affected system. The attack vector being "NETWORK" means it can be exploited remotely, increasing the potential threat surface.
Exploitation
There is no evidence that a public proof-of-concept exists. There is no evidence of proof of exploitation at the moment.
Patch
No specific patch information is available. The project uses continuous delivery with rolling releases, so there are no fixed version numbers for affected or updated releases. The latest commit after f12a94dc1ebb7d1c51ee978a85e4c7ed75c620ff may contain the fix, but this should be verified with the project maintainers.
Mitigation
1. Immediately update the kvf-admin software to the latest version beyond commit f12a94dc1ebb7d1c51ee978a85e4c7ed75c620ff. 2. Implement strict file upload validation and sanitization mechanisms. 3. Use content-type checking and file extension restrictions for uploaded files. 4. Employ a Web Application Firewall (WAF) to help filter malicious file uploads. 5. Regularly audit and monitor file upload functionalities for any suspicious activities. 6. Apply the principle of least privilege to the file upload functionality and associated services. 7. If immediate patching is not possible, consider temporarily disabling or restricting access to the file upload functionality until a patch can be applied.
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Timeline
Feedly found the first article mentioning CVE-2024-9280. See article
Feedly estimated the CVSS score as HIGH
NVD published the first details for CVE-2024-9280
A CVSS base score of 4.7 has been assigned.
EPSS Score was set to: 0.05% (Percentile: 16.3%)
A CVSS base score of 9.8 has been assigned.