Cyber Resilience

CVE-2024-45440

MediumPublic PoC

Published: 29 August 2024

Published
29 August 2024
Modified
21 April 2025
KEV Added
Patch
CVSS Score v3.1 5.3 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
EPSS Score 0.8669 99.4th percentile
Risk Priority 63 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2024-45440 is a medium-severity Generation of Error Message Containing Sensitive Information (CWE-209) vulnerability in Drupal Drupal. Its CVSS base score is 5.3 (Medium).

Operationally, ranked in the top 0.6% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.

Deeper analysis

CVE-2024-45440 affects core/authorize.php in Drupal 11.x-dev and enables full path disclosure even when error logging is set to None. The flaw is triggered when the hash_salt value is obtained via file_get_contents on a file that does not exist. It is tracked as CWE-209 with a CVSS 3.1 score of 5.3 reflecting network-accessible information disclosure.

Unauthenticated remote attackers can exploit the condition without credentials or user interaction to obtain limited file-system path details that may support further reconnaissance against the affected Drupal instance.

The EPSS score reached a peak of 0.8754 with a current value of 0.8669. Public references include the Drupal issue tracker, an Exploit-DB entry, and a technical analysis at senscybersecurity.nl.

EU & UK References

Vulnerability details

core/authorize.php in Drupal 11.x-dev allows Full Path Disclosure (even when error logging is None) if the value of hash_salt is file_get_contents of a file that does not exist.

CWE(s)

Related Threats

No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.

Affected Assets

drupal
drupal
2023-05-09

Mitigating Controls

Likely Mitigating Controls AI

Per-CVE control mapping for this CVE has not run yet; the list below is derived from the weakness types (CWEs) cited in the NVD entry.

addresses: CWE-209

Detects error messages that leak sensitive information as evidence of disclosure.

addresses: CWE-209

The control directly mitigates generation of error messages containing sensitive authentication details by requiring obscured feedback instead of verbose responses.

addresses: CWE-209

Misdirection allows generation of misleading error messages that withhold or falsify sensitive details.

addresses: CWE-209

Explicitly requires error messages to avoid including sensitive or exploitable details while still supporting corrective action.

addresses: CWE-209

Validation ensures error messages contain only expected, non-sensitive content and blocks leakage via verbose errors.

addresses: CWE-209

Fail-safe procedures can be defined to suppress or sanitize error output, reducing generation of messages that contain sensitive information.

References