{"dataType": "CVE_RECORD", "dataVersion": "5.1", "cveMetadata": {"cveId": "CVE-2024-24551", "assignerOrgId": "455daabc-a392-441d-aa46-37d35189897c", "state": "PUBLISHED", "assignerShortName": "NCSC.ch", "dateReserved": "2024-01-25T14:02:00.526Z", "datePublished": "2024-06-24T07:08:22.514Z", "dateUpdated": "2024-06-24T13:35:21.361Z"}, "containers": {"cna": {"affected": [{"collectionURL": "https://www.bludit.com/", "defaultStatus": "unaffected", "packageName": "Bludit", "platforms": ["Linux", "Windows", "MacOS"], "product": "Bludit", "programFiles": ["bl-kernel/functions.php", "bl-plugins/api/plugin.php"], "repo": "https://github.com/bludit/bludit/", "vendor": "Bludit", "versions": [{"status": "affected", "version": "v3.9.0 beta 1"}]}], "configurations": [{"lang": "en", "supportingMedia": [{"base64": false, "type": "text/html", "value": "- Admin must enable the API (API is disabled by default).<br>- Attacker requires an account to upload a malicious PHP file.<br>- Authentication is not required to access the temporary file directory."}], "value": "- Admin must enable the API (API is disabled by default).\n- Attacker requires an account to upload a malicious PHP file.\n- Authentication is not required to access the temporary file directory."}], "credits": [{"lang": "en", "type": "finder", "value": "Andreas Pfefferle, Redguard AG"}], "datePublic": "2024-06-20T16:00:00.000Z", "descriptions": [{"lang": "en", "supportingMedia": [{"base64": false, "type": "text/html", "value": "A security vulnerability has been identified in Bludit, allowing authenticated attackers to execute arbitrary code through the Image API. This vulnerability arises from improper handling of file uploads, enabling malicious actors to upload and execute PHP files.<br>"}], "value": "A security vulnerability has been identified in Bludit, allowing authenticated attackers to execute arbitrary code through the Image API. This vulnerability arises from improper handling of file uploads, enabling malicious actors to upload and execute PHP files."}], "impacts": [{"capecId": "CAPEC-650", "descriptions": [{"lang": "en", "value": "CAPEC-650 Upload a Web Shell to a Web Server"}]}, {"capecId": "CAPEC-253", "descriptions": [{"lang": "en", "value": "CAPEC-253 Remote Code Inclusion"}]}, {"capecId": "CAPEC-242", "descriptions": [{"lang": "en", "value": "CAPEC-242 Code Injection"}]}, {"capecId": "CAPEC-175", "descriptions": [{"lang": "en", "value": "CAPEC-175 Code Inclusion"}]}], "metrics": [{"cvssV4_0": {"Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "Safety": "NOT_DEFINED", "attackComplexity": "HIGH", "attackRequirements": "PRESENT", "attackVector": "NETWORK", "baseScore": 8.9, "baseSeverity": "HIGH", "privilegesRequired": "HIGH", "providerUrgency": "NOT_DEFINED", "subAvailabilityImpact": "HIGH", "subConfidentialityImpact": "HIGH", "subIntegrityImpact": "HIGH", "userInteraction": "NONE", "valueDensity": "NOT_DEFINED", "vectorString": "CVSS:4.0/AV:N/AC:H/AT:P/PR:H/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H", "version": "4.0", "vulnAvailabilityImpact": "HIGH", "vulnConfidentialityImpact": "HIGH", "vulnIntegrityImpact": "HIGH", "vulnerabilityResponseEffort": "NOT_DEFINED"}, "format": "CVSS", "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "problemTypes": [{"descriptions": [{"cweId": "CWE-77", "description": "CWE-77 Improper Neutralization of Special Elements used in a Command ('Command Injection')", "lang": "en", "type": "CWE"}]}, {"descriptions": [{"cweId": "CWE-502", "description": "CWE-502 Deserialization of Untrusted Data", "lang": "en", "type": "CWE"}]}, {"descriptions": [{"cweId": "CWE-434", "description": "CWE-434 Unrestricted Upload of File with Dangerous Type", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"orgId": "455daabc-a392-441d-aa46-37d35189897c", "shortName": "NCSC.ch", "dateUpdated": "2024-06-24T07:08:22.514Z"}, "references": [{"url": "https://www.redguard.ch/blog/2024/06/20/security-advisory-bludit/"}], "solutions": [{"lang": "en", "supportingMedia": [{"base64": false, "type": "text/html", "value": "1. Remove tmp-folder from webroot: Ensure that the temporary file directory is relocated outside of the web root to prevent unauthorized access.<br>2. Remove files from tmp folder even on negative checks: Implement a cleanup process to remove files from the temporary folder, regardless of whether the file extension check is positive or negative.<br>3. Consolidate image upload code for AJAX requests: It should be noted that there is code for handling image uploads over AJAX (and not through the API) under `bl-kernel/ajax/profile-picture-upload.php`. This code is similar, but different to the API image upload code. For instance, the AJAX code for image uploads includes MIME type validation to provide an additional layer of security. It is advised to consolidate the code into a single location for easier maintenance and ensuring that it is consistent across different parts of the application."}], "value": "1. Remove tmp-folder from webroot: Ensure that the temporary file directory is relocated outside of the web root to prevent unauthorized access.\n2. Remove files from tmp folder even on negative checks: Implement a cleanup process to remove files from the temporary folder, regardless of whether the file extension check is positive or negative.\n3. Consolidate image upload code for AJAX requests: It should be noted that there is code for handling image uploads over AJAX (and not through the API) under `bl-kernel/ajax/profile-picture-upload.php`. This code is similar, but different to the API image upload code. For instance, the AJAX code for image uploads includes MIME type validation to provide an additional layer of security. It is advised to consolidate the code into a single location for easier maintenance and ensuring that it is consistent across different parts of the application."}], "source": {"discovery": "UNKNOWN"}, "title": "Bludit - Remote Code Execution (RCE) through Image API", "x_generator": {"engine": "Vulnogram 0.2.0"}}, "adp": [{"affected": [{"vendor": "bludit", "product": "bludit", "cpes": ["cpe:2.3:a:bludit:bludit:3.9.0:*:*:*:*:*:*:*"], "defaultStatus": "unknown", "versions": [{"version": "3.9.0", "status": "affected", "lessThanOrEqual": "3.15.0", "versionType": "custom"}]}], "metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2024-06-24T13:35:17.703935Z", "id": "CVE-2024-24551", "options": [{"Exploitation": "poc"}, {"Automatable": "no"}, {"Technical Impact": "total"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2024-06-24T13:35:21.361Z"}}]}}

{"descriptions": [{"lang": "en", "value": "A security vulnerability has been identified in Bludit, allowing authenticated attackers to execute arbitrary code through the Image API. This vulnerability arises from improper handling of file uploads, enabling malicious actors to upload and execute PHP files."}, {"lang": "es", "value": "Se ha identificado una vulnerabilidad de seguridad en Bludit, que permite a atacantes autenticados ejecutar c\u00f3digo arbitrario a trav\u00e9s de Image API. Esta vulnerabilidad surge del manejo inadecuado de la carga de archivos, lo que permite a actores malintencionados cargar y ejecutar archivos PHP."}], "id": "CVE-2024-24551", "lastModified": "2024-06-24T12:57:36.513", "metrics": {}, "published": "2024-06-24T07:15:14.760", "references": [{"source": "vulnerability@ncsc.ch", "url": "https://www.redguard.ch/blog/2024/06/20/security-advisory-bludit/"}], "sourceIdentifier": "vulnerability@ncsc.ch", "vulnStatus": "Awaiting Analysis", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-434"}, {"lang": "en", "value": "CWE-502"}, {"lang": "en", "value": "CWE-77"}], "source": "vulnerability@ncsc.ch", "type": "Secondary"}]}

{}