CVE-2024-2053
published 2024-03-21CVE-2024-2053: The Artica Proxy administrative web application will deserialize arbitrary PHP objects supplied by unauthenticated users and subsequently enable code execution…
PriorityP183high7.5CVSS 3.1
AVNACLPRNUINSUCHINAN
ITWEXPLOITVulnCheck KEVInitial access
Exploited in the wild
EPSS
44.58%
98.6th percentile
The Artica Proxy administrative web application will deserialize arbitrary PHP objects supplied by unauthenticated users and subsequently enable code execution as the "www-data" user. This issue was demonstrated on version 4.50 of the The Artica-Proxy administrative web application attempts to prevent local file inclusion. These protections can be bypassed and arbitrary file requests supplied by unauthenticated users will be returned according to the privileges of the "www-data" user.
Affected
4 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| artica_tech | artica_proxy | — | — |
| artica_tech | artica_proxy | — | — |
| articatech | artica_proxy | — | — |
| articatech | artica_proxy | — | — |
Detection & IOCsextracted from sources · hover to see the quote
yara↗
body matches /root:.*:0:0:/
- →HTTP GET requests to /images.listener.php with a 'mailattach' parameter containing path traversal sequences (..././) should be flagged as LFI exploitation attempts against Artica Proxy. ↗
- →Responses containing 'application/force-download' in the body combined with a 200 status code from /images.listener.php indicate successful LFI exploitation. ↗
- →Shodan/FOFA fingerprint for exposed Artica Proxy instances: search for HTTP HTML containing 'artica' or body containing 'artica'. ↗
- →The path traversal bypass uses the obfuscated sequence '..././' (not standard '../') to evade LFI protections in Artica Proxy's administrative web application. ↗
- ·The vulnerability affects Artica Proxy version 4.50 specifically; the CPE in the template references 4.40, so detection should cover both versions. ↗
- ·Code execution occurs as the 'www-data' user; file read access is scoped to that user's privileges, meaning not all files may be accessible. ↗
CVSS provenance
nvdv3.17.5HIGHCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
vulncheck7.5HIGH
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
GHSA-92jp-q2g9-wmq7: The Artica Proxy administrative web application will deserialize arbitrary PHP objects supplied by unauthenticated users and subsequently enable code
ghsa_unreviewed·2024-03-21
CVE-2024-2053 [HIGH] CWE-23 GHSA-92jp-q2g9-wmq7: The Artica Proxy administrative web application will deserialize arbitrary PHP objects supplied by unauthenticated users and subsequently enable code
The Artica Proxy administrative web application will deserialize arbitrary PHP objects supplied by unauthenticated users and subsequently enable code execution as the "www-data" user. This issue was demonstrated on version 4.50 of the The Artica-Proxy administrative web application attempts to prevent local file inclusion. These protections can be bypassed and arbitrary file requests supplied by unauthenticated users will be returned according to the privileges of the "www-data" user.
VulnCheck
articatech artica_proxy Relative Path Traversal
vulncheck·2024·CVSS 7.5
CVE-2024-2053 [HIGH] articatech artica_proxy Relative Path Traversal
articatech artica_proxy Relative Path Traversal
The Artica Proxy administrative web application will deserialize arbitrary PHP objects supplied by unauthenticated users and subsequently enable code execution as the "www-data" user. This issue was demonstrated on version 4.50 of the The Artica-Proxy administrative web application attempts to prevent local file inclusion. These protections can be bypassed and arbitrary file requests supplied by unauthenticated users will be returned according to the privileges of the "www-data" user.
Affected: articatech artica_proxy
Required Action: Apply remediations or mitigations per vendor instructions or discontinue use of the product if remediation or mitigations are unavailable.
Exploitation References: https://tracker.crowdsec.net/cves/CVE-2024-
No detection rules found.
Nuclei
Artica Proxy - Unauthenticated LFI
nuclei·CVSS 7.5
CVE-2024-2053 [HIGH] Artica Proxy - Unauthenticated LFI
Artica Proxy - Unauthenticated LFI
The Artica Proxy administrative web application will deserialize arbitrary PHP objects supplied by unauthenticated users and subsequently enable code execution as the "www-data" user. This issue was demonstrated on version 4.50 of the The Artica-Proxy administrative web application attempts to prevent local file inclusion. These protections can be bypassed and arbitrary file requests supplied by unauthenticated users will be returned according to the privileges of the "www-data" user.
Template:
id: CVE-2024-2053
info:
name: Artica Proxy - Unauthenticated LFI
author: pussycat0x
severity: high
description: |
The Artica Proxy administrative web application will deserialize arbitrary PHP objects supplied by unauthenticated users and subsequently enable co
2024-03-21
Published
Exploited in the wild