CVE-2024-31214
published 2024-04-10CVE-2024-31214: Traccar is an open source GPS tracking system. Traccar versions 5.1 through 5.12 allow arbitrary files to be uploaded through the device image upload API…
PriorityP270critical9.6CVSS 3.1
AVNACLPRNUIRSCCHIHAH
EXPLOIT
EPSS
17.63%
96.8th percentile
Traccar is an open source GPS tracking system. Traccar versions 5.1 through 5.12 allow arbitrary files to be uploaded through the device image upload API. Attackers have full control over the file contents, full control over the directory where the file is stored, full control over the file extension, and partial control over the file name. While it's not for an attacker to overwrite an existing file, an attacker can create new files with certain names and attacker-controlled extensions anywhere on the file system. This can potentially lead to remote code execution, XSS, DOS, etc. The default install of Traccar makes this vulnerability more severe. Self-registration is enabled by default, allowing anyone to create an account to exploit this vulnerability. Traccar also runs by default with root/system privileges, allowing files to be placed anywhere on the file system. Version 6.0 contains a fix for the issue. One may also turn off self-registration by default, as that would make most vulnerabilities in the application much harder to exploit by default and reduce the severity considerably.
Affected
2 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| traccar | traccar | — | — |
| traccar | traccar | 5.1 – 5.12 | — |
Detection & IOCsextracted from sources · hover to see the quote
- →Monitor for file creation events outside expected Traccar media/upload directories, especially in sensitive paths (e.g., /etc/cron.d/, web roots), originating from the Traccar process — indicative of path traversal exploitation (CVE-2024-24809) chained with unrestricted file upload (CVE-2024-31214). ↗
- →Alert on new user self-registration followed immediately by device image upload API calls — the default self-registration feature is the primary enabler for unauthenticated exploitation of this vulnerability. ↗
- →Detect HTTP PUT/POST requests to the Traccar device image upload endpoint containing path traversal sequences (e.g., '../') in filename or path parameters, which enables writing files outside the intended upload directory. ↗
- →On Red Hat-based Linux systems running Traccar, monitor for unexpected new cron job files created under /etc/cron.d/ by the Traccar service account or root, as the Metasploit module specifically targets this persistence mechanism. ↗
- →Flag Traccar processes running as root/SYSTEM — exploitation under these privileges allows file writes anywhere on the filesystem, dramatically increasing blast radius and making post-exploitation artifacts harder to scope. ↗
- ·Traccar's default configuration enables self-registration, which allows any unauthenticated user to create an account and immediately exploit this vulnerability — disabling self-registration significantly raises the bar for exploitation. ↗
- ·Traccar runs as root/SYSTEM by default; this default privilege level turns a file-write primitive into a full system compromise. Deployments should be hardened to run as a least-privilege service account. ↗
- ·The vulnerability affects Traccar versions 5.1 through 5.12 only; version 6.0 contains the fix. Ensure upgrade to 6.0+ or apply the mitigation of disabling self-registration. ↗
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
No advisories linked to this vulnerability.
No detection rules found.
https://github.com/traccar/traccar/blob/master/src/main/java/org/traccar/model/Device.java#L56https://github.com/traccar/traccar/blob/v5.12/src/main/java/org/traccar/api/resource/DeviceResource.java#L191https://github.com/traccar/traccar/commit/3fbdcd81566bc72e319ec05c77cf8a4120b87b8fhttps://github.com/traccar/traccar/security/advisories/GHSA-3gxq-f2qj-c8v9https://github.com/traccar/traccar/blob/master/src/main/java/org/traccar/model/Device.java#L56https://github.com/traccar/traccar/blob/v5.12/src/main/java/org/traccar/api/resource/DeviceResource.java#L191https://github.com/traccar/traccar/commit/3fbdcd81566bc72e319ec05c77cf8a4120b87b8fhttps://github.com/traccar/traccar/security/advisories/GHSA-3gxq-f2qj-c8v9
2024-04-10
Published