CVE-2024-45440
Published: 29 August 2024
Summary
CVE-2024-45440 is a medium-severity Generation of Error Message Containing Sensitive Information (CWE-209) vulnerability in Drupal Drupal. Its CVSS base score is 5.3 (Medium).
Operationally, ranked in the top 0.6% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
Deeper analysis
CVE-2024-45440 affects core/authorize.php in Drupal 11.x-dev and enables full path disclosure even when error logging is set to None. The flaw is triggered when the hash_salt value is obtained via file_get_contents on a file that does not exist. It is tracked as CWE-209 with a CVSS 3.1 score of 5.3 reflecting network-accessible information disclosure.
Unauthenticated remote attackers can exploit the condition without credentials or user interaction to obtain limited file-system path details that may support further reconnaissance against the affected Drupal instance.
The EPSS score reached a peak of 0.8754 with a current value of 0.8669. Public references include the Drupal issue tracker, an Exploit-DB entry, and a technical analysis at senscybersecurity.nl.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2024-2616
Vulnerability details
core/authorize.php in Drupal 11.x-dev allows Full Path Disclosure (even when error logging is None) if the value of hash_salt is file_get_contents of a file that does not exist.
- CWE(s)
Related Threats
No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.
Affected Assets
Mitigating Controls
Likely Mitigating Controls AI
Per-CVE control mapping for this CVE has not run yet; the list below is derived from the weakness types (CWEs) cited in the NVD entry.
Detects error messages that leak sensitive information as evidence of disclosure.
The control directly mitigates generation of error messages containing sensitive authentication details by requiring obscured feedback instead of verbose responses.
Misdirection allows generation of misleading error messages that withhold or falsify sensitive details.
Explicitly requires error messages to avoid including sensitive or exploitable details while still supporting corrective action.
Validation ensures error messages contain only expected, non-sensitive content and blocks leakage via verbose errors.
Fail-safe procedures can be defined to suppress or sanitize error output, reducing generation of messages that contain sensitive information.