OpenCVE

core/authorize.php in Drupal 11.x-dev allows Full Path Disclosure (even when error logging is None) if the value of hash_salt is file_get_contents of a file that does not exist.

No CVSS v4.0

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact Low

Integrity Impact None

Availability Impact None

User Interaction None

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

Exploitation none

Automatable no

Technical Impact partial

Vendors	Products
Drupal	Drupal

Configuration 1 [-]

cpe:2.3:a:drupal:drupal:2023-05-09:*:*:*:*:*:*:*

No data.

References

Link	Providers
https://senscybersecurity.nl/CVE-2024-45440-Explained/
https://www.drupal.org/project/drupal/issues/3457781

History

Mon, 28 Oct 2024 21:15:00 +0000

Type	Values Removed	Values Added
CPEs		cpe:2.3:a:drupal:drupal::::::::

Thu, 19 Sep 2024 18:00:00 +0000

Type	Values Removed	Values Added
First Time appeared		Drupal Drupal drupal
Weaknesses		CWE-209
CPEs		cpe:2.3:a:drupal:drupal:2023-05-09:::::::*
Vendors & Products		Drupal Drupal drupal
Metrics		cvssV3_1 `{'score': 5.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N'}`

Tue, 03 Sep 2024 18:00:00 +0000

Type	Values Removed	Values Added
References		https://senscybersecurity.nl/CVE-2024-45440-Explained/

Thu, 29 Aug 2024 20:30:00 +0000

Type	Values Removed	Values Added
Metrics		ssvc `{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}`

Thu, 29 Aug 2024 03:30:00 +0000

Type	Values Removed	Values Added
Description		core/authorize.php in Drupal 11.x-dev allows Full Path Disclosure (even when error logging is None) if the value of hash_salt is file_get_contents of a file that does not exist.
References		https://www.drupal.org/project/drupal/issues/3457781

MITRE

Status: PUBLISHED

Assigner: drupal

Published: 2024-08-29T00:00:00

Updated: 2024-10-28T20:20:18.538Z

Reserved: 2024-08-29T00:00:00

Link: CVE-2024-45440

Vulnrichment

Updated: 2024-08-29T13:18:28.124Z

NVD

Status : Modified

Published: 2024-08-29T11:15:27.083

Modified: 2024-10-28T21:35:16.373

Link: CVE-2024-45440

Redhat

No data.

{"dataType": "CVE_RECORD", "cveMetadata": {"state": "PUBLISHED", "cveId": "CVE-2024-45440", "assignerOrgId": "2c85b837-eb8b-40ed-9d74-228c62987387", "assignerShortName": "drupal", "dateUpdated": "2024-10-28T20:20:18.538Z", "dateReserved": "2024-08-29T00:00:00", "datePublished": "2024-08-29T00:00:00"}, "containers": {"cna": {"providerMetadata": {"orgId": "2c85b837-eb8b-40ed-9d74-228c62987387", "shortName": "drupal", "dateUpdated": "2024-09-12T15:27:33.952572"}, "descriptions": [{"lang": "en", "value": "core/authorize.php in Drupal 11.x-dev allows Full Path Disclosure (even when error logging is None) if the value of hash_salt is file_get_contents of a file that does not exist."}], "affected": [{"vendor": "Drupal", "product": "Drupal core", "versions": [{"version": "v11.x-dev", "status": "affected"}]}], "references": [{"url": "https://www.drupal.org/project/drupal/issues/3457781"}, {"url": "https://senscybersecurity.nl/CVE-2024-45440-Explained/"}], "problemTypes": [{"descriptions": [{"type": "text", "lang": "en", "description": "n/a"}]}]}, "adp": [{"problemTypes": [{"descriptions": [{"type": "CWE", "cweId": "CWE-209", "lang": "en", "description": "CWE-209 Generation of Error Message Containing Sensitive Information"}]}], "affected": [{"vendor": "drupal", "product": "drupal", "cpes": ["cpe:2.3:a:drupal:drupal:*:*:*:*:*:*:*:*"], "defaultStatus": "unknown", "versions": [{"version": "0", "status": "affected", "lessThan": "10.2.0", "versionType": "custom"}]}], "metrics": [{"cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 5.3, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N", "integrityImpact": "NONE", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "NONE", "confidentialityImpact": "LOW"}}, {"other": {"type": "ssvc", "content": {"timestamp": "2024-08-29T13:18:23.343049Z", "id": "CVE-2024-45440", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2024-10-28T20:20:18.538Z"}}]}, "dataVersion": "5.1"}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 5.3, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N", "integrityImpact": "NONE", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "NONE", "confidentialityImpact": "LOW"}}, {"other": {"type": "ssvc", "content": {"id": "CVE-2024-45440", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2024-08-29T13:18:23.343049Z"}}}], "affected": [{"cpes": ["cpe:2.3:a:drupal:drupal:*:*:*:*:*:*:*:*"], "vendor": "drupal", "product": "drupal", "versions": [{"status": "affected", "version": "0", "lessThan": "10.2.0", "versionType": "custom"}], "defaultStatus": "unknown"}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-209", "description": "CWE-209 Generation of Error Message Containing Sensitive Information"}]}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2024-08-29T13:18:28.124Z"}}], "cna": {"affected": [{"vendor": "Drupal", "product": "Drupal core", "versions": [{"status": "affected", "version": "v11.x-dev"}]}], "references": [{"url": "https://www.drupal.org/project/drupal/issues/3457781"}, {"url": "https://senscybersecurity.nl/CVE-2024-45440-Explained/"}], "descriptions": [{"lang": "en", "value": "core/authorize.php in Drupal 11.x-dev allows Full Path Disclosure (even when error logging is None) if the value of hash_salt is file_get_contents of a file that does not exist."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "text", "description": "n/a"}]}], "providerMetadata": {"orgId": "2c85b837-eb8b-40ed-9d74-228c62987387", "shortName": "drupal", "dateUpdated": "2024-09-12T15:27:33.952572"}}}, "cveMetadata": {"cveId": "CVE-2024-45440", "state": "PUBLISHED", "dateUpdated": "2024-10-28T20:20:18.538Z", "dateReserved": "2024-08-29T00:00:00", "assignerOrgId": "2c85b837-eb8b-40ed-9d74-228c62987387", "datePublished": "2024-08-29T00:00:00", "assignerShortName": "drupal"}, "dataVersion": "5.1"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:drupal:drupal:2023-05-09:*:*:*:*:*:*:*", "matchCriteriaId": "1AD01F6C-FF20-4D64-91BE-ABDF312E95F8", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "core/authorize.php in Drupal 11.x-dev allows Full Path Disclosure (even when error logging is None) if the value of hash_salt is file_get_contents of a file that does not exist."}, {"lang": "es", "value": "core/authorize.php en Drupal 11.x-dev permite la divulgaci\u00f3n de ruta completa (incluso cuando el registro de errores es Ninguno) si el valor de hash_salt es file_get_contents de un archivo que no existe."}], "id": "CVE-2024-45440", "lastModified": "2024-10-28T21:35:16.373", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 5.3, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 1.4, "source": "nvd@nist.gov", "type": "Primary"}, {"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 5.3, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 1.4, "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary"}]}, "published": "2024-08-29T11:15:27.083", "references": [{"source": "mlhess@drupal.org", "tags": ["Third Party Advisory"], "url": "https://senscybersecurity.nl/CVE-2024-45440-Explained/"}, {"source": "mlhess@drupal.org", "tags": ["Vendor Advisory"], "url": "https://www.drupal.org/project/drupal/issues/3457781"}], "sourceIdentifier": "mlhess@drupal.org", "vulnStatus": "Modified", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-209"}], "source": "nvd@nist.gov", "type": "Primary"}, {"description": [{"lang": "en", "value": "CWE-209"}], "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary"}]}