CVE-2024-31214
Published: 10 April 2024
Summary
CVE-2024-31214 is a critical-severity Unrestricted Upload of File with Dangerous Type (CWE-434) vulnerability in Traccar Traccar. Its CVSS base score is 9.6 (Critical).
Operationally, ranked in the top 4.1% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
Deeper analysis
Traccar, an open source GPS tracking system, contains an unrestricted file upload vulnerability in versions 5.1 through 5.12 that affects the device image upload API. Attackers can supply arbitrary file contents, storage directories, and extensions while exercising partial control over filenames, enabling creation of new files with attacker-chosen names and extensions at arbitrary filesystem locations. The issue is tracked as CWE-434 and carries a CVSS 3.1 score of 9.6.
An unauthenticated remote attacker can exploit the flaw after creating an account via the self-registration feature that is enabled by default. Because Traccar also runs with root or system privileges by default, the attacker can place files anywhere on the filesystem, potentially achieving remote code execution, cross-site scripting, denial of service, or other impacts.
The vulnerability is fixed in version 6.0. The project advisory additionally recommends disabling self-registration to reduce exposure. The associated EPSS score has reached 0.2220 without a documented rise from a materially lower baseline.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2024-29114
Vulnerability details
Traccar is an open source GPS tracking system. Traccar versions 5.1 through 5.12 allow arbitrary files to be uploaded through the device image upload API. Attackers have full control over the file contents, full control over the directory where the…
more
file is stored, full control over the file extension, and partial control over the file name. While it's not for an attacker to overwrite an existing file, an attacker can create new files with certain names and attacker-controlled extensions anywhere on the file system. This can potentially lead to remote code execution, XSS, DOS, etc. The default install of Traccar makes this vulnerability more severe. Self-registration is enabled by default, allowing anyone to create an account to exploit this vulnerability. Traccar also runs by default with root/system privileges, allowing files to be placed anywhere on the file system. Version 6.0 contains a fix for the issue. One may also turn off self-registration by default, as that would make most vulnerabilities in the application much harder to exploit by default and reduce the severity considerably.
- CWE(s)
Related Threats
No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.
Affected Assets
Mitigating Controls
Likely Mitigating Controls AI
Per-CVE control mapping for this CVE has not run yet; the list below is derived from the weakness types (CWEs) cited in the NVD entry.
Requiring identifiable owners for portable devices reduces the attack surface for unrestricted uploads of dangerous file types via anonymous media.
Dangerous file uploads can be detonated in the chamber to determine malice before any production write or execution occurs.
Prevents unrestricted writing of arbitrary or malicious firmware by keeping hardware write-protect enabled except under tightly controlled manual procedures.
Scans files from external sources on download/open/execute, blocking unrestricted uploads of dangerous file types.