CVE-2024-24550 - OpenCVE

A security vulnerability has been identified in Bludit, allowing attackers with knowledge of the API token to upload arbitrary files through the File API which leads to arbitrary code execution on the server. This vulnerability arises from improper handling of file uploads, enabling malicious actors to upload and execute PHP files.

Attack Vector Network

Attack Complexity High

Privileges Required High

Attack Requirements Present

User Interaction None

Vulnerable System Confidentiality Impact High

Vulnerable System Integrity Impact High

Vulnerable System Availability Impact High

Subsequent System Confidentiality Impact High

Subsequent System Integrity Impact High

Subsequent System Availability Impact High

No CVSS v3.1

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

Exploitation poc

Automatable no

Technical Impact total

Vendors	Products
Bludit	Bludit

No data.

No data.

References

Link	Providers
https://www.redguard.ch/blog/2024/06/20/security-advisory-bludit/

History

No history.

MITRE

Status: PUBLISHED

Assigner: NCSC.ch

Published: 2024-06-24T07:05:50.655Z

Updated: 2024-08-01T23:19:52.559Z

Reserved: 2024-01-25T14:02:00.526Z

Link: CVE-2024-24550

Vulnrichment

Updated: 2024-06-24T13:33:32.615Z

NVD

Status : Awaiting Analysis

Published: 2024-06-24T07:15:13.580

Modified: 2024-06-24T12:57:36.513

Link: CVE-2024-24550

Redhat

No data.

{"dataType": "CVE_RECORD", "dataVersion": "5.1", "cveMetadata": {"cveId": "CVE-2024-24550", "assignerOrgId": "455daabc-a392-441d-aa46-37d35189897c", "state": "PUBLISHED", "assignerShortName": "NCSC.ch", "dateReserved": "2024-01-25T14:02:00.526Z", "datePublished": "2024-06-24T07:05:50.655Z", "dateUpdated": "2024-08-01T23:19:52.559Z"}, "containers": {"cna": {"affected": [{"collectionURL": "https://www.bludit.com/", "defaultStatus": "unaffected", "packageName": "Bludit", "platforms": ["Linux", "Windows", "MacOS"], "product": "Bludit", "programFiles": ["bl-plugins/api/plugin.php"], "repo": "https://github.com/bludit/bludit/", "vendor": "Bludit", "versions": [{"status": "affected", "version": "3.14.0"}]}], "configurations": [{"lang": "en", "supportingMedia": [{"base64": false, "type": "text/html", "value": "- Admin must enable the API (API is disabled by default).<br>- Attacker requires the knowledge of the API token<br>- Authentication is not required to access the file upload directory.<br>"}], "value": "- Admin must enable the API (API is disabled by default).\n- Attacker requires the knowledge of the API token\n- Authentication is not required to access the file upload directory."}], "credits": [{"lang": "en", "type": "finder", "value": "Andreas Pfefferle, Redguard AG"}], "datePublic": "2024-06-20T16:00:00.000Z", "descriptions": [{"lang": "en", "supportingMedia": [{"base64": false, "type": "text/html", "value": "A security vulnerability has been identified in Bludit, allowing attackers with knowledge of the API token to upload arbitrary files through the File API which leads to arbitrary code execution on the server. This vulnerability arises from improper handling of file uploads, enabling malicious actors to upload and execute PHP files.<br>"}], "value": "A security vulnerability has been identified in Bludit, allowing attackers with knowledge of the API token to upload arbitrary files through the File API which leads to arbitrary code execution on the server. This vulnerability arises from improper handling of file uploads, enabling malicious actors to upload and execute PHP files."}], "impacts": [{"capecId": "CAPEC-650", "descriptions": [{"lang": "en", "value": "CAPEC-650 Upload a Web Shell to a Web Server"}]}, {"capecId": "CAPEC-253", "descriptions": [{"lang": "en", "value": "CAPEC-253 Remote Code Inclusion"}]}, {"capecId": "CAPEC-242", "descriptions": [{"lang": "en", "value": "CAPEC-242 Code Injection"}]}, {"capecId": "CAPEC-175", "descriptions": [{"lang": "en", "value": "CAPEC-175 Code Inclusion"}]}], "metrics": [{"cvssV4_0": {"Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "Safety": "NOT_DEFINED", "attackComplexity": "HIGH", "attackRequirements": "PRESENT", "attackVector": "NETWORK", "baseScore": 8.9, "baseSeverity": "HIGH", "privilegesRequired": "HIGH", "providerUrgency": "NOT_DEFINED", "subAvailabilityImpact": "HIGH", "subConfidentialityImpact": "HIGH", "subIntegrityImpact": "HIGH", "userInteraction": "NONE", "valueDensity": "NOT_DEFINED", "vectorString": "CVSS:4.0/AV:N/AC:H/AT:P/PR:H/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H", "version": "4.0", "vulnAvailabilityImpact": "HIGH", "vulnConfidentialityImpact": "HIGH", "vulnIntegrityImpact": "HIGH", "vulnerabilityResponseEffort": "NOT_DEFINED"}, "format": "CVSS", "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "problemTypes": [{"descriptions": [{"cweId": "CWE-77", "description": "CWE-77 Improper Neutralization of Special Elements used in a Command ('Command Injection')", "lang": "en", "type": "CWE"}]}, {"descriptions": [{"cweId": "CWE-502", "description": "CWE-502 Deserialization of Untrusted Data", "lang": "en", "type": "CWE"}]}, {"descriptions": [{"cweId": "CWE-434", "description": "CWE-434 Unrestricted Upload of File with Dangerous Type", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"orgId": "455daabc-a392-441d-aa46-37d35189897c", "shortName": "NCSC.ch", "dateUpdated": "2024-06-24T07:05:50.655Z"}, "references": [{"url": "https://www.redguard.ch/blog/2024/06/20/security-advisory-bludit/"}], "solutions": [{"lang": "en", "supportingMedia": [{"base64": false, "type": "text/html", "value": "1. Remove file upload API: As the API POST request for uploading files is not documented, it can be assumed that it is a feature not actually needed by Bludit users. This is substantiated by the fact that users also cannot upload arbitrary files with the web application (AJAX).<br>2. Use an allowlist: If the first suggestion is not feasible as it is an actively used feature of Bludit users, it is advised to restrict the possible upload file formats with an allowlist. Before storing the uploaded files in the intended directory, their file extension and mime type should be checked.<br>3. Restrict upload storage: Users should only be allowed to store a certain amount of data on the file share (e.g. 10MB). <br>4. If uploaded files should not be downloadable by everyone: Ensure that the temporary file directory is relocated outside of the web root to prevent unauthorized access.<br>5. If uploaded files should be downloadable: Disable PHP in upload folder, e.g. with the following configuration in nginx:<br><br>```<br>location /upload_folder {<br>    # Disable PHP execution<br>    location ~ \\.php$ {<br>        deny all;<br>    }<br><br>    # Allow other file types<br>    location /upload_folder/ {<br>        # Additional configurations for other file types if necessary<br>    }<br>}<br>```"}], "value": "1. Remove file upload API: As the API POST request for uploading files is not documented, it can be assumed that it is a feature not actually needed by Bludit users. This is substantiated by the fact that users also cannot upload arbitrary files with the web application (AJAX).\n2. Use an allowlist: If the first suggestion is not feasible as it is an actively used feature of Bludit users, it is advised to restrict the possible upload file formats with an allowlist. Before storing the uploaded files in the intended directory, their file extension and mime type should be checked.\n3. Restrict upload storage: Users should only be allowed to store a certain amount of data on the file share (e.g. 10MB). \n4. If uploaded files should not be downloadable by everyone: Ensure that the temporary file directory is relocated outside of the web root to prevent unauthorized access.\n5. If uploaded files should be downloadable: Disable PHP in upload folder, e.g. with the following configuration in nginx:\n\n```\nlocation /upload_folder {\n\u00a0 \u00a0 # Disable PHP execution\n\u00a0 \u00a0 location ~ \\.php$ {\n\u00a0 \u00a0 \u00a0 \u00a0 deny all;\n\u00a0 \u00a0 }\n\n\u00a0 \u00a0 # Allow other file types\n\u00a0 \u00a0 location /upload_folder/ {\n\u00a0 \u00a0 \u00a0 \u00a0 # Additional configurations for other file types if necessary\n\u00a0 \u00a0 }\n}\n```"}], "source": {"discovery": "UNKNOWN"}, "title": "Bludit - Remote Code Execution (RCE) through File API", "x_generator": {"engine": "Vulnogram 0.2.0"}}, "adp": [{"affected": [{"vendor": "bludit", "product": "bludit", "cpes": ["cpe:2.3:a:bludit:bludit:3.14.0:*:*:*:*:*:*:*"], "defaultStatus": "unknown", "versions": [{"version": "3.14.0", "status": "affected", "lessThanOrEqual": "3.15.0", "versionType": "custom"}]}], "metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2024-06-24T13:31:57.251143Z", "id": "CVE-2024-24550", "options": [{"Exploitation": "poc"}, {"Automatable": "no"}, {"Technical Impact": "total"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2024-06-24T13:33:38.619Z"}}, {"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-01T23:19:52.559Z"}, "title": "CVE Program Container", "references": [{"url": "https://www.redguard.ch/blog/2024/06/20/security-advisory-bludit/", "tags": ["x_transferred"]}]}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2024-24550", "role": "CISA Coordinator", "options": [{"Exploitation": "poc"}, {"Automatable": "no"}, {"Technical Impact": "total"}], "version": "2.0.3", "timestamp": "2024-06-24T13:31:57.251143Z"}}}], "affected": [{"cpes": ["cpe:2.3:a:bludit:bludit:3.14.0:*:*:*:*:*:*:*"], "vendor": "bludit", "product": "bludit", "versions": [{"status": "affected", "version": "3.14.0", "versionType": "custom", "lessThanOrEqual": "3.15.0"}], "defaultStatus": "unknown"}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2024-06-24T13:33:32.615Z"}}], "cna": {"title": "Bludit - Remote Code Execution (RCE) through File API", "source": {"discovery": "UNKNOWN"}, "credits": [{"lang": "en", "type": "finder", "value": "Andreas Pfefferle, Redguard AG"}], "impacts": [{"capecId": "CAPEC-650", "descriptions": [{"lang": "en", "value": "CAPEC-650 Upload a Web Shell to a Web Server"}]}, {"capecId": "CAPEC-253", "descriptions": [{"lang": "en", "value": "CAPEC-253 Remote Code Inclusion"}]}, {"capecId": "CAPEC-242", "descriptions": [{"lang": "en", "value": "CAPEC-242 Code Injection"}]}, {"capecId": "CAPEC-175", "descriptions": [{"lang": "en", "value": "CAPEC-175 Code Inclusion"}]}], "metrics": [{"format": "CVSS", "cvssV4_0": {"Safety": "NOT_DEFINED", "version": "4.0", "Recovery": "NOT_DEFINED", "baseScore": 8.9, "Automatable": "NOT_DEFINED", "attackVector": "NETWORK", "baseSeverity": "HIGH", "valueDensity": "NOT_DEFINED", "vectorString": "CVSS:4.0/AV:N/AC:H/AT:P/PR:H/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H", "providerUrgency": "NOT_DEFINED", "userInteraction": "NONE", "attackComplexity": "HIGH", "attackRequirements": "PRESENT", "privilegesRequired": "HIGH", "subIntegrityImpact": "HIGH", "vulnIntegrityImpact": "HIGH", "subAvailabilityImpact": "HIGH", "vulnAvailabilityImpact": "HIGH", "subConfidentialityImpact": "HIGH", "vulnConfidentialityImpact": "HIGH", "vulnerabilityResponseEffort": "NOT_DEFINED"}, "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "affected": [{"repo": "https://github.com/bludit/bludit/", "vendor": "Bludit", "product": "Bludit", "versions": [{"status": "affected", "version": "3.14.0"}], "platforms": ["Linux", "Windows", "MacOS"], "packageName": "Bludit", "programFiles": ["bl-plugins/api/plugin.php"], "collectionURL": "https://www.bludit.com/", "defaultStatus": "unaffected"}], "solutions": [{"lang": "en", "value": "1. Remove file upload API: As the API POST request for uploading files is not documented, it can be assumed that it is a feature not actually needed by Bludit users. This is substantiated by the fact that users also cannot upload arbitrary files with the web application (AJAX).\n2. Use an allowlist: If the first suggestion is not feasible as it is an actively used feature of Bludit users, it is advised to restrict the possible upload file formats with an allowlist. Before storing the uploaded files in the intended directory, their file extension and mime type should be checked.\n3. Restrict upload storage: Users should only be allowed to store a certain amount of data on the file share (e.g. 10MB). \n4. If uploaded files should not be downloadable by everyone: Ensure that the temporary file directory is relocated outside of the web root to prevent unauthorized access.\n5. If uploaded files should be downloadable: Disable PHP in upload folder, e.g. with the following configuration in nginx:\n\n```\nlocation /upload_folder {\n\u00a0 \u00a0 # Disable PHP execution\n\u00a0 \u00a0 location ~ \\.php$ {\n\u00a0 \u00a0 \u00a0 \u00a0 deny all;\n\u00a0 \u00a0 }\n\n\u00a0 \u00a0 # Allow other file types\n\u00a0 \u00a0 location /upload_folder/ {\n\u00a0 \u00a0 \u00a0 \u00a0 # Additional configurations for other file types if necessary\n\u00a0 \u00a0 }\n}\n```", "supportingMedia": [{"type": "text/html", "value": "1. Remove file upload API: As the API POST request for uploading files is not documented, it can be assumed that it is a feature not actually needed by Bludit users. This is substantiated by the fact that users also cannot upload arbitrary files with the web application (AJAX).<br>2. Use an allowlist: If the first suggestion is not feasible as it is an actively used feature of Bludit users, it is advised to restrict the possible upload file formats with an allowlist. Before storing the uploaded files in the intended directory, their file extension and mime type should be checked.<br>3. Restrict upload storage: Users should only be allowed to store a certain amount of data on the file share (e.g. 10MB). <br>4. If uploaded files should not be downloadable by everyone: Ensure that the temporary file directory is relocated outside of the web root to prevent unauthorized access.<br>5. If uploaded files should be downloadable: Disable PHP in upload folder, e.g. with the following configuration in nginx:<br><br>```<br>location /upload_folder {<br>    # Disable PHP execution<br>    location ~ \\.php$ {<br>        deny all;<br>    }<br><br>    # Allow other file types<br>    location /upload_folder/ {<br>        # Additional configurations for other file types if necessary<br>    }<br>}<br>```", "base64": false}]}], "datePublic": "2024-06-20T16:00:00.000Z", "references": [{"url": "https://www.redguard.ch/blog/2024/06/20/security-advisory-bludit/"}], "x_generator": {"engine": "Vulnogram 0.2.0"}, "descriptions": [{"lang": "en", "value": "A security vulnerability has been identified in Bludit, allowing attackers with knowledge of the API token to upload arbitrary files through the File API which leads to arbitrary code execution on the server. This vulnerability arises from improper handling of file uploads, enabling malicious actors to upload and execute PHP files.", "supportingMedia": [{"type": "text/html", "value": "A security vulnerability has been identified in Bludit, allowing attackers with knowledge of the API token to upload arbitrary files through the File API which leads to arbitrary code execution on the server. This vulnerability arises from improper handling of file uploads, enabling malicious actors to upload and execute PHP files.<br>", "base64": false}]}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-77", "description": "CWE-77 Improper Neutralization of Special Elements used in a Command ('Command Injection')"}]}, {"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-502", "description": "CWE-502 Deserialization of Untrusted Data"}]}, {"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-434", "description": "CWE-434 Unrestricted Upload of File with Dangerous Type"}]}], "configurations": [{"lang": "en", "value": "- Admin must enable the API (API is disabled by default).\n- Attacker requires the knowledge of the API token\n- Authentication is not required to access the file upload directory.", "supportingMedia": [{"type": "text/html", "value": "- Admin must enable the API (API is disabled by default).<br>- Attacker requires the knowledge of the API token<br>- Authentication is not required to access the file upload directory.<br>", "base64": false}]}], "providerMetadata": {"orgId": "455daabc-a392-441d-aa46-37d35189897c", "shortName": "NCSC.ch", "dateUpdated": "2024-06-24T07:05:50.655Z"}}}, "cveMetadata": {"cveId": "CVE-2024-24550", "state": "PUBLISHED", "dateUpdated": "2024-06-24T13:33:38.619Z", "dateReserved": "2024-01-25T14:02:00.526Z", "assignerOrgId": "455daabc-a392-441d-aa46-37d35189897c", "datePublished": "2024-06-24T07:05:50.655Z", "assignerShortName": "NCSC.ch"}, "dataVersion": "5.1"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "A security vulnerability has been identified in Bludit, allowing attackers with knowledge of the API token to upload arbitrary files through the File API which leads to arbitrary code execution on the server. This vulnerability arises from improper handling of file uploads, enabling malicious actors to upload and execute PHP files."}, {"lang": "es", "value": "Se ha identificado una vulnerabilidad de seguridad en Bludit, que permite a atacantes con conocimiento del token API cargar archivos arbitrarios a trav\u00e9s de File API, lo que conduce a la ejecuci\u00f3n de c\u00f3digo arbitrario en el servidor. Esta vulnerabilidad surge del manejo inadecuado de la carga de archivos, lo que permite a actores malintencionados cargar y ejecutar archivos PHP."}], "id": "CVE-2024-24550", "lastModified": "2024-06-24T12:57:36.513", "metrics": {"cvssMetricV40": [{"cvssData": {"attackComplexity": "HIGH", "attackRequirements": "PRESENT", "attackVector": "NETWORK", "automatable": "NOT_DEFINED", "availabilityRequirements": "NOT_DEFINED", "baseScore": 8.9, "baseSeverity": "HIGH", "confidentialityRequirements": "NOT_DEFINED", "exploitMaturity": "NOT_DEFINED", "integrityRequirements": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedSubsequentSystemAvailability": "NOT_DEFINED", "modifiedSubsequentSystemConfidentiality": "NOT_DEFINED", "modifiedSubsequentSystemIntegrity": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedVulnerableSystemAvailability": "NOT_DEFINED", "modifiedVulnerableSystemConfidentiality": "NOT_DEFINED", "modifiedVulnerableSystemIntegrity": "NOT_DEFINED", "privilegesRequired": "HIGH", "providerUrgency": "NOT_DEFINED", "recovery": "NOT_DEFINED", "safety": "NOT_DEFINED", "subsequentSystemAvailability": "HIGH", "subsequentSystemConfidentiality": "HIGH", "subsequentSystemIntegrity": "HIGH", "userInteraction": "NONE", "valueDensity": "NOT_DEFINED", "vectorString": "CVSS:4.0/AV:N/AC:H/AT:P/PR:H/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "version": "4.0", "vulnerabilityResponseEffort": "NOT_DEFINED", "vulnerableSystemAvailability": "HIGH", "vulnerableSystemConfidentiality": "HIGH", "vulnerableSystemIntegrity": "HIGH"}, "source": "vulnerability@ncsc.ch", "type": "Secondary"}]}, "published": "2024-06-24T07:15:13.580", "references": [{"source": "vulnerability@ncsc.ch", "url": "https://www.redguard.ch/blog/2024/06/20/security-advisory-bludit/"}], "sourceIdentifier": "vulnerability@ncsc.ch", "vulnStatus": "Awaiting Analysis", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-434"}, {"lang": "en", "value": "CWE-502"}, {"lang": "en", "value": "CWE-77"}], "source": "vulnerability@ncsc.ch", "type": "Secondary"}]}