CVE-2024-21644
published 2024-01-08CVE-2024-21644: pyLoad is the free and open-source Download Manager written in pure Python. Any unauthenticated user can browse to a specific URL to expose the Flask config…
PriorityP269high7.5CVSS 3.1
AVNACLPRNUINSUCHINAN
EXPLOIT
EPSS
42.17%
98.5th percentile
pyLoad is the free and open-source Download Manager written in pure Python. Any unauthenticated user can browse to a specific URL to expose the Flask config, including the `SECRET_KEY` variable. This issue has been patched in version 0.5.0b3.dev77.
Affected
4 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| pyload-ng_project | pyload-ng | >= 0 < 0.5.0b3.dev77 | 0.5.0b3.dev77 |
| pyload | pyload | < 0.5.0b3.dev77 | 0.5.0b3.dev77 |
| pyload | pyload | <= 0.4.9 | — |
| pyload | pyload | — | — |
Detection & IOCsextracted from sources · hover to see the quote
- →Unauthenticated GET request to /render/info.html returns HTTP 200 with Flask config contents including 'SECRET_KEY': and 'pyload_session' in the response body — indicates successful exploitation of the config disclosure. ↗
- →Shodan/FOFA/ZoomEye fingerprinting queries for exposed pyLoad instances: search for html:"pyload", http.title:"login - pyload", or app="pyLoad" to identify potentially vulnerable targets. ↗
- ·The vulnerability exists in pyLoad versions prior to 0.5.0b3.dev77; the /render/info.html endpoint is only exploitable unauthenticated on unpatched instances. ↗
- ·Successful exploitation exposes the Flask SECRET_KEY, enabling potential session forgery/hijacking via the pyload_session cookie. ↗
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
OSV
pyload Unauthenticated Flask Configuration Leakage vulnerability
osv·2024-01-08
CVE-2024-21644 [HIGH] pyload Unauthenticated Flask Configuration Leakage vulnerability
pyload Unauthenticated Flask Configuration Leakage vulnerability
### Summary
Any unauthenticated user can browse to a specific URL to expose the Flask config, including the `SECRET_KEY` variable.
### Details
Any unauthenticated user can browse to a specific URL to expose the Flask config, including the `SECRET_KEY` variable.
### PoC
Run `pyload` in the default configuration by running the following command
```
pyload
```
Now browse to `http://localhost:8000/render/info.html`. Notice how the Flask configuration gets displayed.
I was quite amused by this finding. I think it's a very interesting coming together of things that is so unlikely to happen. Below I will detail my process a bit more.
I was looking through the code to see how the authorization mechanism is implemented when I s
GHSA
pyload Unauthenticated Flask Configuration Leakage vulnerability
ghsa·2024-01-08
CVE-2024-21644 [HIGH] CWE-284 pyload Unauthenticated Flask Configuration Leakage vulnerability
pyload Unauthenticated Flask Configuration Leakage vulnerability
### Summary
Any unauthenticated user can browse to a specific URL to expose the Flask config, including the `SECRET_KEY` variable.
### Details
Any unauthenticated user can browse to a specific URL to expose the Flask config, including the `SECRET_KEY` variable.
### PoC
Run `pyload` in the default configuration by running the following command
```
pyload
```
Now browse to `http://localhost:8000/render/info.html`. Notice how the Flask configuration gets displayed.
I was quite amused by this finding. I think it's a very interesting coming together of things that is so unlikely to happen. Below I will detail my process a bit more.
I was looking through the code to see how the authorization mechanism is implemented when I s
No detection rules found.
Nuclei
pyLoad Flask Config - Access Control
nuclei·CVSS 7.5
CVE-2024-21644 [HIGH] pyLoad Flask Config - Access Control
pyLoad Flask Config - Access Control
pyLoad is the free and open-source Download Manager written in pure Python. Any unauthenticated user can browse to a specific URL to expose the Flask config, including the `SECRET_KEY` variable. This issue has been patched in version 0.5.0b3.dev77.
Template:
id: CVE-2024-21644
info:
name: pyLoad Flask Config - Access Control
author: West-wise
severity: high
description: |
pyLoad is the free and open-source Download Manager written in pure Python. Any unauthenticated user can browse to a specific URL to expose the Flask config, including the `SECRET_KEY` variable. This issue has been patched in version 0.5.0b3.dev77.
impact: |
Unauthenticated attackers can access the Flask SECRET_KEY and other sensitive configuration variables, potentially enabling s
No writeups or analysis indexed.
https://github.com/pyload/pyload/commit/bb22063a875ffeca357aaf6e2edcd09705688c40https://github.com/pyload/pyload/security/advisories/GHSA-mqpq-2p68-46fvhttps://github.com/pyload/pyload/commit/bb22063a875ffeca357aaf6e2edcd09705688c40https://github.com/pyload/pyload/security/advisories/GHSA-mqpq-2p68-46fv
2024-01-08
Published