fkie_cve-2024-55555
Vulnerability from fkie_nvd
Published
2025-01-07 17:15
Modified
2025-01-07 20:15
Severity ?
8.8 (High) - CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Summary
Invoice Ninja before 5.10.43 allows remote code execution from a pre-authenticated route when an attacker knows the APP_KEY. This is exacerbated by .env files, available from the product's repository, that have default APP_KEY values. The route/{hash} route defined in the invoiceninja/routes/client.php file can be accessed without authentication. The parameter {hash} is passed to the function decrypt that expects a Laravel ciphered value containing a serialized object. (Furthermore, Laravel contains several gadget chains usable to trigger remote command execution from arbitrary deserialization.) Therefore, an attacker in possession of the APP_KEY is able to fully control a string passed to an unserialize function.
References
cve@mitre.orghttps://github.com/invoiceninja/invoiceninja/commit/d9302021472c3e7e23bac8c3d5fbec57a5f38f0c
cve@mitre.orghttps://www.synacktiv.com/advisories/invoiceninja-unauthenticated-remote-command-execution-when-appkey-known
Impacted products
Vendor Product Version


To clipboard 

{
  "cveTags": [],
  "descriptions": [
    {
      "lang": "en",
      "value": "Invoice Ninja before 5.10.43 allows remote code execution from a pre-authenticated route when an attacker knows the APP_KEY. This is exacerbated by .env files, available from the product\u0027s repository, that have default APP_KEY values. The route/{hash} route defined in the invoiceninja/routes/client.php file can be accessed without authentication. The parameter {hash} is passed to the function decrypt that expects a Laravel ciphered value containing a serialized object. (Furthermore, Laravel contains several gadget chains usable to trigger remote command execution from arbitrary deserialization.) Therefore, an attacker in possession of the APP_KEY is able to fully control a string passed to an unserialize function."
    },
    {
      "lang": "es",
      "value": "Invoice Ninja anterior a la versi\u00f3n 5.10.43 permite la ejecuci\u00f3n remota de c\u00f3digo desde una ruta autenticada previamente cuando un atacante conoce la APP_KEY. Esto se ve agravado por los archivos .env, disponibles en el repositorio del producto, que tienen valores APP_KEY predeterminados. Se puede acceder a la ruta route/{hash} definida en el archivo invoiceninja/routes/client.php sin autenticaci\u00f3n. El par\u00e1metro {hash} se pasa a la funci\u00f3n decrypt que espera un valor cifrado de Laravel que contiene un objeto serializado. (Adem\u00e1s, Laravel contiene varias cadenas de gadgets que se pueden utilizar para activar la ejecuci\u00f3n remota de comandos a partir de una deserializaci\u00f3n arbitraria). Por lo tanto, un atacante en posesi\u00f3n de la APP_KEY puede controlar por completo una cadena que se pasa a una funci\u00f3n unserialize."
    }
  ],
  "id": "CVE-2024-55555",
  "lastModified": "2025-01-07T20:15:30.430",
  "metrics": {
    "cvssMetricV31": [
      {
        "cvssData": {
          "attackComplexity": "LOW",
          "attackVector": "NETWORK",
          "availabilityImpact": "HIGH",
          "baseScore": 8.8,
          "baseSeverity": "HIGH",
          "confidentialityImpact": "HIGH",
          "integrityImpact": "HIGH",
          "privilegesRequired": "LOW",
          "scope": "UNCHANGED",
          "userInteraction": "NONE",
          "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
          "version": "3.1"
        },
        "exploitabilityScore": 2.8,
        "impactScore": 5.9,
        "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
        "type": "Secondary"
      }
    ]
  },
  "published": "2025-01-07T17:15:30.503",
  "references": [
    {
      "source": "cve@mitre.org",
      "url": "https://github.com/invoiceninja/invoiceninja/commit/d9302021472c3e7e23bac8c3d5fbec57a5f38f0c"
    },
    {
      "source": "cve@mitre.org",
      "url": "https://www.synacktiv.com/advisories/invoiceninja-unauthenticated-remote-command-execution-when-appkey-known"
    }
  ],
  "sourceIdentifier": "cve@mitre.org",
  "vulnStatus": "Awaiting Analysis",
  "weaknesses": [
    {
      "description": [
        {
          "lang": "en",
          "value": "CWE-502"
        }
      ],
      "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
      "type": "Secondary"
    }
  ]
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.




Sightings

Author Source Type Date

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or seen somewhere by the user.
  • Confirmed: The vulnerability is confirmed from an analyst perspective.
  • Exploited: This vulnerability was exploited and seen by the user reporting the sighting.
  • Patched: This vulnerability was successfully patched by the user reporting the sighting.
  • Not exploited: This vulnerability was not exploited or seen by the user reporting the sighting.
  • Not confirmed: The user expresses doubt about the veracity of the vulnerability.
  • Not patched: This vulnerability was not successfully patched by the user reporting the sighting.