Scoold API Injection Vulnerability

CVE-2024-50334

What is CVE-2024-50334?

CVE-2024-50334 is a security vulnerability identified in Scoold, a question-and-answer as well as knowledge-sharing platform designed for teams. This vulnerability involves a semicolon path injection affecting the /api;/config endpoint that enables attackers to bypass authentication measures. As a result, unauthorized individuals may access sensitive configuration data, which could severely undermine the security and integrity of an organization’s information systems.

Technical Details

This vulnerability arises from improper handling of input in the Scoold API. By appending a semicolon to the URL, an attacker can exploit the flaw and bypass standard authentication checks. Additionally, an unauthenticated attacker can send PUT requests to the /api;/config endpoint while setting the Content-Type header to application/hocon. This allows for the inclusion of HOCON files, thereby enabling attackers to retrieve sensitive server information, such as configuration files. The vulnerability has been addressed in Scoold version 1.64.0, with a recommended temporary mitigation being to disable the Scoold API entirely.

Impact of the Vulnerability

1. Unauthorized Access: Attackers can gain unauthorized access to sensitive configuration data, potentially exposing critical business information and compromising security measures.

2. Data Leakage: The ability to read and extract sensitive files could lead to data leakage, which may include proprietary information or personal data of users, raising compliance and regulatory concerns.

3. Increased Risk of Further Exploitation: By obtaining configuration files, attackers may gather crucial insights into system architecture, making it easier to plan subsequent attacks or exploit other vulnerabilities within the infrastructure.

References