CVE-2024-40645 - OpenCVE

FOG is a cloning/imaging/rescue suite/inventory management system. An improperly restricted file upload feature allows authenticated users to execute arbitrary code on the fogproject server. The Rebranding feature has a check on the client banner image requiring it to be 650 pixels wide and 120 pixels high. Apart from that, there are no checks on things like file extensions. This can be abused by appending a PHP webshell to the end of the image and changing the extension to anything the PHP web server will parse. This vulnerability is fixed in 1.5.10.41.

No CVSS v4.0

Attack Vector Network

Attack Complexity Low

Privileges Required Low

Scope Unchanged

Confidentiality Impact High

Integrity Impact High

Availability Impact High

User Interaction None

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

Exploitation poc

Automatable no

Technical Impact total

Vendors	Products
Fogproject	Fogproject

Configuration 1 [-]

cpe:2.3:a:fogproject:fogproject:*:*:*:*:*:*:*:*

No data.

References

Link	Providers
https://github.com/FOGProject/fogproject/blob/a4bb1bf39ac53c3cbe623576915fbc3b5c80a00f/packages/web/lib/pages/fogconfigurationpage.class.php#L2860-L2896
https://github.com/FOGProject/fogproject/commit/9469606a18bf8887740cceed6593a2e0380b5e0c
https://github.com/FOGProject/fogproject/security/advisories/GHSA-59mq-q8g5-2f4f

History

No history.

MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published: 2024-07-31T18:57:50.347Z

Updated: 2024-07-31T20:13:14.492Z

Reserved: 2024-07-08T16:13:15.512Z

Link: CVE-2024-40645

Vulnrichment

Updated: 2024-07-31T20:13:06.439Z

NVD

Status : Analyzed

Published: 2024-07-31T19:15:11.870

Modified: 2024-09-05T17:09:16.947

Link: CVE-2024-40645

Redhat

No data.

{"dataType": "CVE_RECORD", "dataVersion": "5.1", "cveMetadata": {"cveId": "CVE-2024-40645", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "state": "PUBLISHED", "assignerShortName": "GitHub_M", "dateReserved": "2024-07-08T16:13:15.512Z", "datePublished": "2024-07-31T18:57:50.347Z", "dateUpdated": "2024-07-31T20:13:14.492Z"}, "containers": {"cna": {"title": "FOG Authenticated File Upload RCE", "problemTypes": [{"descriptions": [{"cweId": "CWE-434", "lang": "en", "description": "CWE-434: Unrestricted Upload of File with Dangerous Type", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 8.8, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1"}}], "references": [{"name": "https://github.com/FOGProject/fogproject/security/advisories/GHSA-59mq-q8g5-2f4f", "tags": ["x_refsource_CONFIRM"], "url": "https://github.com/FOGProject/fogproject/security/advisories/GHSA-59mq-q8g5-2f4f"}, {"name": "https://github.com/FOGProject/fogproject/commit/9469606a18bf8887740cceed6593a2e0380b5e0c", "tags": ["x_refsource_MISC"], "url": "https://github.com/FOGProject/fogproject/commit/9469606a18bf8887740cceed6593a2e0380b5e0c"}, {"name": "https://github.com/FOGProject/fogproject/blob/a4bb1bf39ac53c3cbe623576915fbc3b5c80a00f/packages/web/lib/pages/fogconfigurationpage.class.php#L2860-L2896", "tags": ["x_refsource_MISC"], "url": "https://github.com/FOGProject/fogproject/blob/a4bb1bf39ac53c3cbe623576915fbc3b5c80a00f/packages/web/lib/pages/fogconfigurationpage.class.php#L2860-L2896"}], "affected": [{"vendor": "FOGProject", "product": "fogproject", "versions": [{"version": "< 1.5.10.41", "status": "affected"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2024-07-31T18:57:50.347Z"}, "descriptions": [{"lang": "en", "value": "FOG is a cloning/imaging/rescue suite/inventory management system. An improperly restricted file upload feature allows authenticated users to execute arbitrary code on the fogproject server. The Rebranding feature has a check on the client banner image requiring it to be 650 pixels wide and 120 pixels high. Apart from that, there are no checks on things like file extensions. This can be abused by appending a PHP webshell to the end of the image and changing the extension to anything the PHP web server will parse. This vulnerability is fixed in 1.5.10.41."}], "source": {"advisory": "GHSA-59mq-q8g5-2f4f", "discovery": "UNKNOWN"}}, "adp": [{"affected": [{"vendor": "fogproject", "product": "fogproject", "cpes": ["cpe:2.3:a:fogproject:fogproject:*:*:*:*:*:*:*:*"], "defaultStatus": "unknown", "versions": [{"version": "0", "status": "affected", "lessThan": "1.5.10.41", "versionType": "custom"}]}], "metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2024-07-31T20:11:58.543306Z", "id": "CVE-2024-40645", "options": [{"Exploitation": "poc"}, {"Automatable": "no"}, {"Technical Impact": "total"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2024-07-31T20:13:14.492Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2024-40645", "role": "CISA Coordinator", "options": [{"Exploitation": "poc"}, {"Automatable": "no"}, {"Technical Impact": "total"}], "version": "2.0.3", "timestamp": "2024-07-31T20:11:58.543306Z"}}}], "affected": [{"cpes": ["cpe:2.3:a:fogproject:fogproject:*:*:*:*:*:*:*:*"], "vendor": "fogproject", "product": "fogproject", "versions": [{"status": "affected", "version": "0", "lessThan": "1.5.10.41", "versionType": "custom"}], "defaultStatus": "unknown"}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2024-07-31T20:13:06.439Z"}}], "cna": {"title": "FOG Authenticated File Upload RCE", "source": {"advisory": "GHSA-59mq-q8g5-2f4f", "discovery": "UNKNOWN"}, "metrics": [{"cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 8.8, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "LOW", "confidentialityImpact": "HIGH"}}], "affected": [{"vendor": "FOGProject", "product": "fogproject", "versions": [{"status": "affected", "version": "< 1.5.10.41"}]}], "references": [{"url": "https://github.com/FOGProject/fogproject/security/advisories/GHSA-59mq-q8g5-2f4f", "name": "https://github.com/FOGProject/fogproject/security/advisories/GHSA-59mq-q8g5-2f4f", "tags": ["x_refsource_CONFIRM"]}, {"url": "https://github.com/FOGProject/fogproject/commit/9469606a18bf8887740cceed6593a2e0380b5e0c", "name": "https://github.com/FOGProject/fogproject/commit/9469606a18bf8887740cceed6593a2e0380b5e0c", "tags": ["x_refsource_MISC"]}, {"url": "https://github.com/FOGProject/fogproject/blob/a4bb1bf39ac53c3cbe623576915fbc3b5c80a00f/packages/web/lib/pages/fogconfigurationpage.class.php#L2860-L2896", "name": "https://github.com/FOGProject/fogproject/blob/a4bb1bf39ac53c3cbe623576915fbc3b5c80a00f/packages/web/lib/pages/fogconfigurationpage.class.php#L2860-L2896", "tags": ["x_refsource_MISC"]}], "descriptions": [{"lang": "en", "value": "FOG is a cloning/imaging/rescue suite/inventory management system. An improperly restricted file upload feature allows authenticated users to execute arbitrary code on the fogproject server. The Rebranding feature has a check on the client banner image requiring it to be 650 pixels wide and 120 pixels high. Apart from that, there are no checks on things like file extensions. This can be abused by appending a PHP webshell to the end of the image and changing the extension to anything the PHP web server will parse. This vulnerability is fixed in 1.5.10.41."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-434", "description": "CWE-434: Unrestricted Upload of File with Dangerous Type"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2024-07-31T18:57:50.347Z"}}}, "cveMetadata": {"cveId": "CVE-2024-40645", "state": "PUBLISHED", "dateUpdated": "2024-07-31T20:13:14.492Z", "dateReserved": "2024-07-08T16:13:15.512Z", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "datePublished": "2024-07-31T18:57:50.347Z", "assignerShortName": "GitHub_M"}, "dataVersion": "5.1"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:fogproject:fogproject:*:*:*:*:*:*:*:*", "matchCriteriaId": "DDC1FAD4-EE15-41FF-BDF0-685E7885E4F6", "versionEndIncluding": "1.5.10.41", "versionStartIncluding": "1.5.10", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "FOG is a cloning/imaging/rescue suite/inventory management system. An improperly restricted file upload feature allows authenticated users to execute arbitrary code on the fogproject server. The Rebranding feature has a check on the client banner image requiring it to be 650 pixels wide and 120 pixels high. Apart from that, there are no checks on things like file extensions. This can be abused by appending a PHP webshell to the end of the image and changing the extension to anything the PHP web server will parse. This vulnerability is fixed in 1.5.10.41."}, {"lang": "es", "value": "FOG es un sistema de gesti\u00f3n de inventario, clonaci\u00f3n, im\u00e1genes, suite de rescate. Una funci\u00f3n de carga de archivos restringida incorrectamente permite a los usuarios autenticados ejecutar c\u00f3digo arbitrario en el servidor de fogproject. La funci\u00f3n de cambio de marca tiene una verificaci\u00f3n en la imagen del banner del cliente que requiere que tenga 650 p\u00edxeles de ancho y 120 p\u00edxeles de alto. Aparte de eso, no hay controles sobre cosas como las extensiones de archivos. Se puede abusar de esto agregando un webshell PHP al final de la imagen y cambiando la extensi\u00f3n a cualquier cosa que el servidor web PHP analice. Esta vulnerabilidad se solucion\u00f3 en 1.5.10.41."}], "id": "CVE-2024-40645", "lastModified": "2024-09-05T17:09:16.947", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 8.8, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 5.9, "source": "nvd@nist.gov", "type": "Primary"}, {"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 8.8, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 5.9, "source": "security-advisories@github.com", "type": "Secondary"}]}, "published": "2024-07-31T19:15:11.870", "references": [{"source": "security-advisories@github.com", "tags": ["Product"], "url": "https://github.com/FOGProject/fogproject/blob/a4bb1bf39ac53c3cbe623576915fbc3b5c80a00f/packages/web/lib/pages/fogconfigurationpage.class.php#L2860-L2896"}, {"source": "security-advisories@github.com", "tags": ["Patch"], "url": "https://github.com/FOGProject/fogproject/commit/9469606a18bf8887740cceed6593a2e0380b5e0c"}, {"source": "security-advisories@github.com", "tags": ["Exploit"], "url": "https://github.com/FOGProject/fogproject/security/advisories/GHSA-59mq-q8g5-2f4f"}], "sourceIdentifier": "security-advisories@github.com", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-434"}], "source": "nvd@nist.gov", "type": "Primary"}, {"description": [{"lang": "en", "value": "CWE-434"}], "source": "security-advisories@github.com", "type": "Secondary"}]}