CVE-2024-45440
published 2024-08-29CVE-2024-45440: core/authorize.php in Drupal 11.x-dev allows Full Path Disclosure (even when error logging is None) if the value of hash_salt is file_get_contents of a file…
PriorityP342medium5.3CVSS 3.1
AVNACLPRNUINSUCLINAN
EXPLOIT
EPSS
9.27%
94.7th percentile
core/authorize.php in Drupal 11.x-dev allows Full Path Disclosure (even when error logging is None) if the value of hash_salt is file_get_contents of a file that does not exist.
Affected
11 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| drupal | core | >= 10.3.0 < 10.3.6 | 10.3.6 |
| drupal | core | >= 11.0.0 < 11.0.5 | 11.0.5 |
| drupal | core | >= 8.0.0 < 10.2.9 | 10.2.9 |
| drupal | core-recommended | >= 10.3.0 < 10.3.6 | 10.3.6 |
| drupal | core-recommended | >= 11.0.0 < 11.0.5 | 11.0.5 |
| drupal | core-recommended | >= 8.0.0 < 10.2.9 | 10.2.9 |
| drupal | drupal | — | — |
| drupal | drupal | >= 10.3.0 < 10.3.6 | 10.3.6 |
| drupal | drupal | >= 11.0.0 < 11.0.5 | 11.0.5 |
| drupal | drupal | >= 8.0.0 < 10.2.9 | 10.2.9 |
| drupal | drupal_core | — | — |
Detection & IOCsextracted from sources · hover to see the quote
yara↗
words: ["getHashSalt", "RuntimeException"] condition: and
- →Send a GET request to /core/authorize.php and inspect the response body for the strings 'getHashSalt' AND 'RuntimeException' simultaneously — their co-presence indicates the full path disclosure is triggered. ↗
- →Scan HTTP response bodies from /core/authorize.php for a regex pattern matching a filesystem path ending in 'settings.php' (e.g. r'(/.*?settings\.php)') to extract the disclosed server path. ↗
- →The vulnerability is exploitable with a plain unauthenticated GET request to /core/authorize.php — no authentication or special parameters are required. ↗
- →Shodan queries 'http.component:"drupal"' and 'cpe:"cpe:2.3:a:drupal:drupal"' can be used to identify potentially vulnerable internet-facing Drupal instances for proactive scanning. ↗
- ·The vulnerability triggers Full Path Disclosure even when Drupal's error logging is set to 'None', meaning standard error-suppression configuration does NOT mitigate exposure. ↗
- ·The root cause is hash_salt being configured as file_get_contents() referencing a non-existent file; the RuntimeException/getHashSalt error leaks the full server filesystem path in the HTTP response. ↗
CVSS provenance
nvdv3.15.3MEDIUMCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
osv5.3MEDIUM
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
OSV
CVE-2024-45440: core/authorize
osv·2024-08-29·CVSS 5.3
CVE-2024-45440 [MEDIUM] CVE-2024-45440: core/authorize
core/authorize.php in Drupal 11.x-dev allows Full Path Disclosure (even when error logging is None) if the value of hash_salt is file_get_contents of a file that does not exist.
GHSA
Drupal Full Path Disclosure
ghsa·2024-08-29
CVE-2024-45440 [MEDIUM] CWE-209 Drupal Full Path Disclosure
Drupal Full Path Disclosure
`core/authorize.php` in Drupal 11.x-dev allows Full Path Disclosure (even when error logging is None) if the value of `hash_salt` is `file_get_contents` of a file that does not exist.
OSV
Drupal Full Path Disclosure
osv·2024-08-29
CVE-2024-45440 [MEDIUM] Drupal Full Path Disclosure
Drupal Full Path Disclosure
`core/authorize.php` in Drupal 11.x-dev allows Full Path Disclosure (even when error logging is None) if the value of `hash_salt` is `file_get_contents` of a file that does not exist.
No detection rules found.
Exploit-DB
Drupal 11.x-dev - Full Path Disclosure
exploitdb·2025-04-19·CVSS 5.3
CVE-2024-45440 [MEDIUM] Drupal 11.x-dev - Full Path Disclosure
Drupal 11.x-dev - Full Path Disclosure
---
#!/usr/bin/env python
# Exploit Title: Drupal 11.x-dev - Full Path Disclosure
# Date: 2025-04-16
# Exploit Author: Milad Karimi (Ex3ptionaL)
# Contact: [email protected] # Zone-H: www.zone-h.org/archive/notifier=Ex3ptionaL
# MiRROR-H: https://mirror-h.org/search/hacker/49626/
# Version: 11.x-dev
# CVE: CVE-2024-45440
# -*- coding:UTF-8 -*-
import re
import requests
def banners():
cve_id = "CVE-2024-45440"
description = "Drupal 11.x-dev Full Path Disclosure Vulnerability: " \
"core/authorize.php allows Full Path Disclosure (even
when error logging is None) " \
"if the value of hash_salt is file_get_contents of a file
that does not exist."
disclaimer = "This tool is for educational purposes only. Any misuse of
this information is the respons
Nuclei
Drupal 11.x-dev - Full Path Disclosure
nuclei·CVSS 5.3
CVE-2024-45440 [MEDIUM] Drupal 11.x-dev - Full Path Disclosure
Drupal 11.x-dev - Full Path Disclosure
core/authorize.php in Drupal 11.x-dev allows Full Path Disclosure (even when error logging is None) if the value of hash_salt is file_get_contents of a file that does not exist.
Template:
id: CVE-2024-45440
info:
name: Drupal 11.x-dev - Full Path Disclosure
author: DhiyaneshDK
severity: medium
description: |
core/authorize.php in Drupal 11.x-dev allows Full Path Disclosure (even when error logging is None) if the value of hash_salt is file_get_contents of a file that does not exist.
impact: |
Attackers can obtain full path disclosure information even when error logging is disabled.
remediation: |
Configure hash_salt properly and ensure it references an existing file, or update to a patched Drupal version.
reference:
- https://senscybersecurity.nl/
No writeups or analysis indexed.
2024-08-29
Published