CVE-2024-46938: 
Sitecore Experience Platform (XP) vulnerability analysis and mitigation

An unauthenticated file read vulnerability (CVE-2024-46938) was discovered in Sitecore Experience Platform (XP), Experience Manager (XM), and Experience Commerce (XC) versions 8.0 Initial Release through 10.4 Initial Release. The vulnerability allows an unauthenticated attacker to read arbitrary files from the local system (NVD, Assetnote).

The vulnerability exists due to an order of operations issue in the code where input is not properly normalized before verification. The /-/speak/v1/bundles/bundle.js endpoint allows for arbitrary file read if an absolute path is used. The query parameter specifying the file is not properly normalized before verification, and the input is modified after verification, resulting in file extension checks being bypassable. For example, Web.Config#.js will be converted to just Web.Config after validation (Assetnote).

The vulnerability can lead to disclosure of sensitive files like web.config which often contains machine keys and Telerik encryption keys. This information disclosure can typically lead to command execution through deserializing a ViewState crafted after obtaining the machineKey value. An attacker can also use this vulnerability to download Sitecore backups containing DLL files with custom code that could lead to additional vulnerabilities (Assetnote).

Sitecore patched this vulnerability in August 2024 as announced in their Security Bulletin SC2024-001-619349 (Assetnote).