CVE-2024-24809 - OpenCVE

Traccar is an open source GPS tracking system. Versions prior to 6.0 are vulnerable to path traversal and unrestricted upload of file with dangerous type. Since the system allows registration by default, attackers can acquire ordinary user permissions by registering an account and exploit this vulnerability to upload files with the prefix `device.` under any folder. Attackers can use this vulnerability for phishing, cross-site scripting attacks, and potentially execute arbitrary commands on the server. Version 6.0 contains a patch for the issue.

No CVSS v4.0

Attack Vector Network

Attack Complexity Low

Privileges Required Low

Scope Changed

Confidentiality Impact None

Integrity Impact High

Availability Impact Low

User Interaction None

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

Key SSVC decision points have not yet been added.

No data.

No data.

No data.

References

Link	Providers
https://github.com/traccar/traccar/commit/b099b298f90074c825ba68ce73532933c7b9d901
https://github.com/traccar/traccar/security/advisories/GHSA-vhrw-72f6-gwp5

History

No history.

MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published: 2024-04-10T14:48:13.370Z

Updated: 2024-08-01T23:28:12.902Z

Reserved: 2024-01-31T16:28:17.941Z

Link: CVE-2024-24809

Vulnrichment

Updated: 2024-08-01T23:28:12.902Z

NVD

Status : Awaiting Analysis

Published: 2024-04-10T15:16:04.027

Modified: 2024-04-10T19:49:51.183

Link: CVE-2024-24809

Redhat

No data.

{"dataType": "CVE_RECORD", "dataVersion": "5.1", "cveMetadata": {"cveId": "CVE-2024-24809", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "state": "PUBLISHED", "assignerShortName": "GitHub_M", "dateReserved": "2024-01-31T16:28:17.941Z", "datePublished": "2024-04-10T14:48:13.370Z", "dateUpdated": "2024-08-01T23:28:12.902Z"}, "containers": {"cna": {"title": "Traccar vulnerable to Path Traversal: 'dir/../../filename' and Unrestricted Upload of File with Dangerous Type", "problemTypes": [{"descriptions": [{"cweId": "CWE-27", "lang": "en", "description": "CWE-27: Path Traversal: 'dir/../../filename'", "type": "CWE"}]}, {"descriptions": [{"cweId": "CWE-434", "lang": "en", "description": "CWE-434: Unrestricted Upload of File with Dangerous Type", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "LOW", "baseScore": 8.5, "baseSeverity": "HIGH", "confidentialityImpact": "NONE", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "CHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:N/I:H/A:L", "version": "3.1"}}], "references": [{"name": "https://github.com/traccar/traccar/security/advisories/GHSA-vhrw-72f6-gwp5", "tags": ["x_refsource_CONFIRM"], "url": "https://github.com/traccar/traccar/security/advisories/GHSA-vhrw-72f6-gwp5"}, {"name": "https://github.com/traccar/traccar/commit/b099b298f90074c825ba68ce73532933c7b9d901", "tags": ["x_refsource_MISC"], "url": "https://github.com/traccar/traccar/commit/b099b298f90074c825ba68ce73532933c7b9d901"}], "affected": [{"vendor": "traccar", "product": "traccar", "versions": [{"version": "< 6.0", "status": "affected"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2024-04-10T14:48:13.370Z"}, "descriptions": [{"lang": "en", "value": "Traccar is an open source GPS tracking system. Versions prior to 6.0 are vulnerable to path traversal and unrestricted upload of file with dangerous type. Since the system allows registration by default, attackers can acquire ordinary user permissions by registering an account and exploit this vulnerability to upload files with the prefix `device.` under any folder. Attackers can use this vulnerability for phishing, cross-site scripting attacks, and potentially execute arbitrary commands on the server. Version 6.0 contains a patch for the issue."}], "source": {"advisory": "GHSA-vhrw-72f6-gwp5", "discovery": "UNKNOWN"}}, "adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2024-24809", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2024-04-10T19:59:43.412049Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2024-06-04T17:43:07.468Z"}}, {"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-01T23:28:12.902Z"}, "title": "CVE Program Container", "references": [{"name": "https://github.com/traccar/traccar/security/advisories/GHSA-vhrw-72f6-gwp5", "tags": ["x_refsource_CONFIRM", "x_transferred"], "url": "https://github.com/traccar/traccar/security/advisories/GHSA-vhrw-72f6-gwp5"}, {"name": "https://github.com/traccar/traccar/commit/b099b298f90074c825ba68ce73532933c7b9d901", "tags": ["x_refsource_MISC", "x_transferred"], "url": "https://github.com/traccar/traccar/commit/b099b298f90074c825ba68ce73532933c7b9d901"}]}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CVE Program Container", "references": [{"url": "https://github.com/traccar/traccar/security/advisories/GHSA-vhrw-72f6-gwp5", "name": "https://github.com/traccar/traccar/security/advisories/GHSA-vhrw-72f6-gwp5", "tags": ["x_refsource_CONFIRM", "x_transferred"]}, {"url": "https://github.com/traccar/traccar/commit/b099b298f90074c825ba68ce73532933c7b9d901", "name": "https://github.com/traccar/traccar/commit/b099b298f90074c825ba68ce73532933c7b9d901", "tags": ["x_refsource_MISC", "x_transferred"]}], "providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-01T23:28:12.902Z"}}, {"metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2024-24809", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2024-04-10T19:59:43.412049Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2024-05-23T19:01:23.165Z"}, "title": "CISA ADP Vulnrichment"}], "cna": {"title": "Traccar vulnerable to Path Traversal: 'dir/../../filename' and Unrestricted Upload of File with Dangerous Type", "source": {"advisory": "GHSA-vhrw-72f6-gwp5", "discovery": "UNKNOWN"}, "metrics": [{"cvssV3_1": {"scope": "CHANGED", "version": "3.1", "baseScore": 8.5, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:N/I:H/A:L", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "LOW", "privilegesRequired": "LOW", "confidentialityImpact": "NONE"}}], "affected": [{"vendor": "traccar", "product": "traccar", "versions": [{"status": "affected", "version": "< 6.0"}]}], "references": [{"url": "https://github.com/traccar/traccar/security/advisories/GHSA-vhrw-72f6-gwp5", "name": "https://github.com/traccar/traccar/security/advisories/GHSA-vhrw-72f6-gwp5", "tags": ["x_refsource_CONFIRM"]}, {"url": "https://github.com/traccar/traccar/commit/b099b298f90074c825ba68ce73532933c7b9d901", "name": "https://github.com/traccar/traccar/commit/b099b298f90074c825ba68ce73532933c7b9d901", "tags": ["x_refsource_MISC"]}], "descriptions": [{"lang": "en", "value": "Traccar is an open source GPS tracking system. Versions prior to 6.0 are vulnerable to path traversal and unrestricted upload of file with dangerous type. Since the system allows registration by default, attackers can acquire ordinary user permissions by registering an account and exploit this vulnerability to upload files with the prefix `device.` under any folder. Attackers can use this vulnerability for phishing, cross-site scripting attacks, and potentially execute arbitrary commands on the server. Version 6.0 contains a patch for the issue."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-27", "description": "CWE-27: Path Traversal: 'dir/../../filename'"}]}, {"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-434", "description": "CWE-434: Unrestricted Upload of File with Dangerous Type"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2024-04-10T14:48:13.370Z"}}}, "cveMetadata": {"cveId": "CVE-2024-24809", "state": "PUBLISHED", "dateUpdated": "2024-08-01T23:28:12.902Z", "dateReserved": "2024-01-31T16:28:17.941Z", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "datePublished": "2024-04-10T14:48:13.370Z", "assignerShortName": "GitHub_M"}, "dataVersion": "5.1"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "Traccar is an open source GPS tracking system. Versions prior to 6.0 are vulnerable to path traversal and unrestricted upload of file with dangerous type. Since the system allows registration by default, attackers can acquire ordinary user permissions by registering an account and exploit this vulnerability to upload files with the prefix `device.` under any folder. Attackers can use this vulnerability for phishing, cross-site scripting attacks, and potentially execute arbitrary commands on the server. Version 6.0 contains a patch for the issue."}, {"lang": "es", "value": "Traccar es un sistema de seguimiento GPS de c\u00f3digo abierto. Las versiones anteriores a la 6.0 son vulnerables a path traversal y a la carga sin restricciones de archivos con tipos peligrosos. Dado que el sistema permite el registro de forma predeterminada, los atacantes pueden adquirir permisos de usuario normales registrando una cuenta y aprovechar esta vulnerabilidad para cargar archivos con el prefijo \"dispositivo\" en cualquier carpeta. Los atacantes pueden utilizar esta vulnerabilidad para phishing, ataques de Cross-Site Scripting y, potencialmente, ejecutar comandos arbitrarios en el servidor. La versi\u00f3n 6.0 contiene un parche para el problema."}], "id": "CVE-2024-24809", "lastModified": "2024-04-10T19:49:51.183", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "LOW", "baseScore": 8.5, "baseSeverity": "HIGH", "confidentialityImpact": "NONE", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "CHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:N/I:H/A:L", "version": "3.1"}, "exploitabilityScore": 3.1, "impactScore": 4.7, "source": "security-advisories@github.com", "type": "Secondary"}]}, "published": "2024-04-10T15:16:04.027", "references": [{"source": "security-advisories@github.com", "url": "https://github.com/traccar/traccar/commit/b099b298f90074c825ba68ce73532933c7b9d901"}, {"source": "security-advisories@github.com", "url": "https://github.com/traccar/traccar/security/advisories/GHSA-vhrw-72f6-gwp5"}], "sourceIdentifier": "security-advisories@github.com", "vulnStatus": "Awaiting Analysis", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-27"}, {"lang": "en", "value": "CWE-434"}], "source": "security-advisories@github.com", "type": "Secondary"}]}