CVE-2024-40624

{"id": "CVE-2024-40624", "cveTags": [], "metrics": {"cvssMetricV31": [{"type": "Secondary", "source": "security-advisories@github.com", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 9.8, "attackVector": "NETWORK", "baseSeverity": "CRITICAL", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "NONE", "confidentialityImpact": "HIGH"}, "impactScore": 5.9, "exploitabilityScore": 3.9}]}, "published": "2024-07-15T20:15:04.810", "references": [{"url": "https://github.com/torrentpier/torrentpier/blob/84f6c9f4a081d9ffff4c233098758280304bf50f/library/includes/functions.php#L41-L60", "source": "security-advisories@github.com"}, {"url": "https://github.com/torrentpier/torrentpier/commit/ed37e6e522f345f2b46147c6f53c1ab6dec1db9e", "source": "security-advisories@github.com"}, {"url": "https://github.com/torrentpier/torrentpier/security/advisories/GHSA-fg86-4c2r-7wxw", "source": "security-advisories@github.com"}], "vulnStatus": "Awaiting Analysis", "weaknesses": [{"type": "Secondary", "source": "security-advisories@github.com", "description": [{"lang": "en", "value": "CWE-502"}]}], "descriptions": [{"lang": "en", "value": "TorrentPier is an open source BitTorrent Public/Private tracker engine, written in php. In `torrentpier/library/includes/functions.php`, `get_tracks()` uses the unsafe native PHP serialization format to deserialize user-controlled cookies. One can use phpggc and the chain Guzzle/FW1 to write PHP code to an arbitrary file, and execute commands on the system. For instance, the cookie bb_t will be deserialized when browsing to viewforum.php. This issue has been addressed in commit `ed37e6e52` which is expected to be included in release version 2.4.4. Users are advised to upgrade as soon as the new release is available. There are no known workarounds for this vulnerability."}, {"lang": "es", "value": "TorrentPier es un motor de seguimiento p\u00fablico/privado de BitTorrent de c\u00f3digo abierto, escrito en php. En `torrentpier/library/includes/functions.php`, `get_tracks()` utiliza el formato de serializaci\u00f3n PHP nativo no seguro para deserializar las cookies controladas por el usuario. Se pueden usar phpggc y la cadena Guzzle/FW1 para escribir c\u00f3digo PHP en un archivo arbitrario y ejecutar comandos en el sistema. Por ejemplo, la cookie bb_t se deserializar\u00e1 al navegar por viewforum.php. Este problema se solucion\u00f3 en el commit `ed37e6e52`, que se espera que se incluya en la versi\u00f3n 2.4.4. Se recomienda a los usuarios que actualicen tan pronto como est\u00e9 disponible la nueva versi\u00f3n. No se conocen workarounds para esta vulnerabilidad."}], "lastModified": "2024-07-16T13:43:58.773", "sourceIdentifier": "security-advisories@github.com"}