Cloud Vulnerability DB
An open project to list all known cloud vulnerabilities and Cloud Service Provider security issues
Vulnerability DatabaseCVE-2024-8517
CVE-2024-8517:
Linux Debian vulnerability analysis and mitigation
Overview
SPIP before versions 4.3.2, 4.2.16, and 4.1.18 contains a critical command injection vulnerability (CVE-2024-8517). A remote and unauthenticated attacker can execute arbitrary operating system commands by sending a crafted multipart file upload HTTP request. The vulnerability was discovered in September 2024 and affects all versions of SPIP since version 4.0 (SPIP Blog).
Technical details
The vulnerability exists in the BigUp plugin's file upload functionality, specifically in the extrairefichiersvalides function within plugins-dist/bigup/inc/Bigup/Files.php. The issue stems from improper sanitization of user-supplied data during file uploads when the bigupretrouverfichiers parameter is set. The vulnerability involves the use of eval() function to process file upload parameters, allowing command injection through crafted multipart requests. The vulnerability has been assigned a CVSS v3.1 score of 9.8 (Critical) (VulnCheck, ThinkLoveShare).
Impact
The vulnerability allows attackers to execute arbitrary operating system commands on affected servers without requiring authentication. This gives attackers complete control over the system, potentially leading to data theft, system compromise, and further network penetration. The vulnerability affects institutional sites, community portals, academic websites, associations, personal blogs, and news sites running SPIP CMS (SecurityOnline).
Mitigation and workarounds
Users are strongly urged to update their SPIP installations to the latest secure versions: 4.3.2, 4.2.16, or 4.1.18. For branches that are no longer maintained (such as SPIP 4.0), users can implement security through the latest version of the security screen. The vulnerability is also addressed by the built-in WAF through commit 091eba6a7969b502dbe53c58a509b4c2a650f802 (SPIP Blog).
Community reactions
The security community has actively discussed this vulnerability, with multiple researchers confirming its severity. The SPIP development team responded promptly to the vulnerability report and released patches. The discovery was particularly notable as it was found during a security challenge, leading to collaborative research efforts between security researchers (ThinkLoveShare).
Additional resources
Source: This report was generated using AI
Free Vulnerability Assessment
Benchmark your Cloud Security Posture
Evaluate your cloud security practices across 9 security domains to benchmark your risk level and identify gaps in your defenses.
Get a personalized demo
Ready to see Wiz in action?
“Best User Experience I have ever seen, provides full visibility to cloud workloads.”
David EstlickCISO
“Wiz provides a single pane of glass to see what is going on in our cloud environments.”
Adam FletcherChief Security Officer
“We know that if Wiz identifies something as critical, it actually is.”
Greg PoniatowskiHead of Threat and Vulnerability Management