CVE-2024-31214

Traccar's unrestricted file upload vulnerability in device image upload could lead to remote code execution

Severity Score

9.6

*CVSS v3.1

Exploit Likelihood

*EPSS

Affected Versions

*CPE

Public Exploits

*Multiple Sources

Exploited in Wild

*KEV

Decision

Attend

*SSVC

Descriptions

Traccar is an open source GPS tracking system. Traccar versions 5.1 through 5.12 allow arbitrary files to be uploaded through the device image upload API. Attackers have full control over the file contents, full control over the directory where the file is stored, full control over the file extension, and partial control over the file name. While it's not for an attacker to overwrite an existing file, an attacker can create new files with certain names and attacker-controlled extensions anywhere on the file system. This can potentially lead to remote code execution, XSS, DOS, etc. The default install of Traccar makes this vulnerability more severe. Self-registration is enabled by default, allowing anyone to create an account to exploit this vulnerability. Traccar also runs by default with root/system privileges, allowing files to be placed anywhere on the file system. Version 6.0 contains a fix for the issue. One may also turn off self-registration by default, as that would make most vulnerabilities in the application much harder to exploit by default and reduce the severity considerably.

*Credits: N/A

Attack Vector

Network

Attack Complexity

Low

Privileges Required

None

User Interaction

Required

Scope

Changed

Confidentiality

High

Integrity

High

Availability

High

Attack Vector

Network

Attack Complexity

Medium

Authentication

None

Confidentiality

None

Integrity

Partial

Availability

Complete

* Common Vulnerability Scoring System

SSVC

Decision:Attend

Exploitation

Poc

Automatable

Tech. Impact

Total

* Organization's Worst-case Scenario

Timeline

2024-03-29 CVE Reserved
2024-04-10 CVE Published
2024-08-02 CVE Updated
2024-09-24 First Exploit
2025-03-30 EPSS Updated
---------- Exploited in Wild
---------- KEV Due Date

CWE

CWE-434: Unrestricted Upload of File with Dangerous Type

CAPEC

References (5)

URL	Tag	Source
https://github.com/traccar/traccar/blob/master/src/main/java/org/traccar/model/Device.java#L56	X_refsource_misc
https://github.com/traccar/traccar/blob/v5.12/src/main/java/org/traccar/api/resource/DeviceResource.java#L191	X_refsource_misc
https://github.com/traccar/traccar/commit/3fbdcd81566bc72e319ec05c77cf8a4120b87b8f	X_refsource_misc
https://github.com/traccar/traccar/security/advisories/GHSA-3gxq-f2qj-c8v9	X_refsource_confirm

URL	Date	SRC
https://packetstorm.news/files/id/181800	2024-09-24

URL	Date	SRC

URL	Date	SRC

Affected Vendors, Products, and Versions

Vendor		Product				Version		Other		Status
Vendor	Product	Version	Other	Status	<-- -->	Vendor	Product	Version	Other	Status
Traccar Search vendor "Traccar"		Traccar Search vendor "Traccar" for product "Traccar"				>= 5.1 < 6.0 Search vendor "Traccar" for product "Traccar" and version " >= 5.1 < 6.0"		en		Affected