Vulnerability Management, Patch/Configuration Management

RCE attacks likely with pair of Traccar GPS system bugs

Share

Open-source GPS tracking server Traccar has been impacted with a high-severity path traversal vulnerability, tracked as CVE-2024-24809, and a critical unrestricted file upload flaw, tracked as CVE-2024-31214, which could be leveraged to facilitate remote code execution without authorization, reports The Hacker News.

Both issues, which affect Traccar versions 5.1 to 5.12, stem from the platform's management of device image file uploads and could be used to enable file overwriting when the registration setting is "true" and both deviceReadonly and readOnly are "false," which are the defaults for Traccar 5, an analysis from Horizon3.ai revealed. "The net result of CVE-2024-31214 and CVE-2024-24809 is that an attacker can place files with arbitrary content anywhere on the file system. However an attacker only has partial control over the filename," said Horizon3.ai researcher Naveen Sunkavally, who also noted potential RCE in Windows systems via the addition of an LNK file within the "C:ProgramDataMicrosoftWindowsStart MenuProgramsStartUp" folder. Traccar has already addressed both flaws with version 6 of the platform released in April.

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms of Use and Privacy Policy.