CVE CyberSecurity Database News

CVE-2024-56145 – An Unspecified Remote Code Execution Vulnerability in Craft CMS

Poster -

As digital experiences have become more sophisticated, the demand for flexible, user-friendly content management systems (CMS) has risen. Craft CMS is a prime example of such a solution that offers users an exceptional degree of customization to meet their specific needs in generating content on the web and beyond. However, it has recently come to light that several versions of Craft CMS are affected by a critical vulnerability (CVE-2024-56145), leaving them susceptible to unspecified remote code execution attacks.

Exploit Details

Craft CMS users with affected versions should be aware that this vulnerability is present if their PHP configuration file, php.ini, has register_argc_argv enabled. For these users, an unspecified remote code execution vector is present, posing a high-level security risk to their digital content.

The relevant code snipplet from the vulnerable php.ini file is as follows

; This directive tells PHP whether to declare the argv&argc variables (that
; would contain the GET information). If you don't use these variables, you
; should turn it off for increased performance.
;
; Default Value: On
; Development Value: Off
; Production Value: Off
;
; http://php.net/register-argc-argv
register_argc_argv = On

In essence, the code above demonstrates that register_argc_argv is enabled by default.

Solution and Mitigation

To resolve this issue and safeguard your digital content, it is highly advised to update your Craft CMS to the latest version, 3.9.14, 4.13.2, or 5.5.2. These updated versions have patched the vulnerability, protecting users against such attacks.

For users who are unable to upgrade their Craft CMS, disabling register_argc_argv in the php.ini file is the recommended mitigation strategy. By doing so, users can eliminate the remote code execution vector present in the affected versions.

To disable register_argc_argv, update the relevant line in your php.ini file as follows

register_argc_argv = Off

After making this change, be sure to restart your PHP service for the update to take effect.

Original References

For more information on the vulnerability and affected versions, users can refer to the following sources:

1. Craft CMS Release Notes: The release notes for Craft CMS detail the specific versions that have been patched to resolve the vulnerability.
2. PHP Manual – register_argc_argv: Provides documentation about the register_argc_argv directive in the php.ini file.

It is crucial for users with affected versions of Craft CMS to take the necessary steps to secure their digital content management systems. By either updating to the latest version or disabling register_argc_argv, you can mitigate the risk posed by the CVE-2024-56145 vulnerability and ensure your custom digital experiences remain protected against potential remote code execution attacks. Understanding and taking action on this critical security issue is the best practice for maintaining a safe and reliable web presence.

Timeline

Published on: 12/18/2024 21:15:08 UTC
Last modified on: 12/19/2024 21:15:08 UTC