CVE - CVE-2024-31214

CVE-ID
CVE-2024-31214	Learn more at National Vulnerability Database (NVD) • CVSS Severity Rating • Fix Information • Vulnerable Software Versions • SCAP Mappings • CPE Information
Description
Traccar is an open source GPS tracking system. Traccar versions 5.1 through 5.12 allow arbitrary files to be uploaded through the device image upload API. Attackers have full control over the file contents, full control over the directory where the file is stored, full control over the file extension, and partial control over the file name. While it's not for an attacker to overwrite an existing file, an attacker can create new files with certain names and attacker-controlled extensions anywhere on the file system. This can potentially lead to remote code execution, XSS, DOS, etc. The default install of Traccar makes this vulnerability more severe. Self-registration is enabled by default, allowing anyone to create an account to exploit this vulnerability. Traccar also runs by default with root/system privileges, allowing files to be placed anywhere on the file system. Version 6.0 contains a fix for the issue. One may also turn off self-registration by default, as that would make most vulnerabilities in the application much harder to exploit by default and reduce the severity considerably.
References
Note: References are provided for the convenience of the reader to help distinguish between vulnerabilities. The list is not intended to be complete.
MISC:https://github.com/traccar/traccar/blob/master/src/main/java/org/traccar/model/Device.java#L56 URL:https://github.com/traccar/traccar/blob/master/src/main/java/org/traccar/model/Device.java#L56 MISC:https://github.com/traccar/traccar/blob/v5.12/src/main/java/org/traccar/api/resource/DeviceResource.java#L191 URL:https://github.com/traccar/traccar/blob/v5.12/src/main/java/org/traccar/api/resource/DeviceResource.java#L191 MISC:https://github.com/traccar/traccar/commit/3fbdcd81566bc72e319ec05c77cf8a4120b87b8f URL:https://github.com/traccar/traccar/commit/3fbdcd81566bc72e319ec05c77cf8a4120b87b8f MISC:https://github.com/traccar/traccar/security/advisories/GHSA-3gxq-f2qj-c8v9 URL:https://github.com/traccar/traccar/security/advisories/GHSA-3gxq-f2qj-c8v9
Assigning CNA
GitHub (maintainer security advisories)
Date Record Created
20240329	Disclaimer: The record creation date may reflect when the CVE ID was allocated or reserved, and does not necessarily indicate when this vulnerability was discovered, shared with the affected vendor, publicly disclosed, or updated in CVE.
Phase (Legacy)
Assigned (20240329)
Votes (Legacy)

Comments (Legacy)

Proposed (Legacy)
N/A
This is an record on the CVE List, which provides common identifiers for publicly known cybersecurity vulnerabilities.
Search CVE Using Keywords: You can also search by reference using the CVE Reference Maps.
For More Information: CVE Request Web Form (select "Other" from dropdown)