Cyber Resilience

CVE-2024-31214

CriticalPublic PoC

Published: 10 April 2024

Published
10 April 2024
Modified
09 January 2025
KEV Added
Patch
CVSS Score v3.1 9.6 CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H
EPSS Score 0.2220 95.9th percentile
Risk Priority 33 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2024-31214 is a critical-severity Unrestricted Upload of File with Dangerous Type (CWE-434) vulnerability in Traccar Traccar. Its CVSS base score is 9.6 (Critical).

Operationally, ranked in the top 4.1% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.

Deeper analysis

Traccar, an open source GPS tracking system, contains an unrestricted file upload vulnerability in versions 5.1 through 5.12 that affects the device image upload API. Attackers can supply arbitrary file contents, storage directories, and extensions while exercising partial control over filenames, enabling creation of new files with attacker-chosen names and extensions at arbitrary filesystem locations. The issue is tracked as CWE-434 and carries a CVSS 3.1 score of 9.6.

An unauthenticated remote attacker can exploit the flaw after creating an account via the self-registration feature that is enabled by default. Because Traccar also runs with root or system privileges by default, the attacker can place files anywhere on the filesystem, potentially achieving remote code execution, cross-site scripting, denial of service, or other impacts.

The vulnerability is fixed in version 6.0. The project advisory additionally recommends disabling self-registration to reduce exposure. The associated EPSS score has reached 0.2220 without a documented rise from a materially lower baseline.

EU & UK References

Vulnerability details

Traccar is an open source GPS tracking system. Traccar versions 5.1 through 5.12 allow arbitrary files to be uploaded through the device image upload API. Attackers have full control over the file contents, full control over the directory where the…

more

file is stored, full control over the file extension, and partial control over the file name. While it's not for an attacker to overwrite an existing file, an attacker can create new files with certain names and attacker-controlled extensions anywhere on the file system. This can potentially lead to remote code execution, XSS, DOS, etc. The default install of Traccar makes this vulnerability more severe. Self-registration is enabled by default, allowing anyone to create an account to exploit this vulnerability. Traccar also runs by default with root/system privileges, allowing files to be placed anywhere on the file system. Version 6.0 contains a fix for the issue. One may also turn off self-registration by default, as that would make most vulnerabilities in the application much harder to exploit by default and reduce the severity considerably.

CWE(s)

Related Threats

No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.

Affected Assets

traccar
traccar
5.1 — 5.12

Mitigating Controls

Likely Mitigating Controls AI

Per-CVE control mapping for this CVE has not run yet; the list below is derived from the weakness types (CWEs) cited in the NVD entry.

addresses: CWE-434

Requiring identifiable owners for portable devices reduces the attack surface for unrestricted uploads of dangerous file types via anonymous media.

addresses: CWE-434

Dangerous file uploads can be detonated in the chamber to determine malice before any production write or execution occurs.

addresses: CWE-434

Prevents unrestricted writing of arbitrary or malicious firmware by keeping hardware write-protect enabled except under tightly controlled manual procedures.

addresses: CWE-434

Scans files from external sources on download/open/execute, blocking unrestricted uploads of dangerous file types.

References