cbcvebase.
CVE-2024-45440
published 2024-08-29

CVE-2024-45440: core/authorize.php in Drupal 11.x-dev allows Full Path Disclosure (even when error logging is None) if the value of hash_salt is file_get_contents of a file…

PriorityP342medium5.3CVSS 3.1
AVNACLPRNUINSUCLINAN
EXPLOIT
EPSS
9.27%
94.7th percentile
core/authorize.php in Drupal 11.x-dev allows Full Path Disclosure (even when error logging is None) if the value of hash_salt is file_get_contents of a file that does not exist.

Affected

11 ranges
VendorProductVersion rangeFixed in
drupalcore>= 10.3.0 < 10.3.610.3.6
drupalcore>= 11.0.0 < 11.0.511.0.5
drupalcore>= 8.0.0 < 10.2.910.2.9
drupalcore-recommended>= 10.3.0 < 10.3.610.3.6
drupalcore-recommended>= 11.0.0 < 11.0.511.0.5
drupalcore-recommended>= 8.0.0 < 10.2.910.2.9
drupaldrupal
drupaldrupal>= 10.3.0 < 10.3.610.3.6
drupaldrupal>= 11.0.0 < 11.0.511.0.5
drupaldrupal>= 8.0.0 < 10.2.910.2.9
drupaldrupal_core

Detection & IOCsextracted from sources · hover to see the quote

path/core/authorize.php
path/core/authorize.php
yara
words: ["getHashSalt", "RuntimeException"] condition: and
  • Send a GET request to /core/authorize.php and inspect the response body for the strings 'getHashSalt' AND 'RuntimeException' simultaneously — their co-presence indicates the full path disclosure is triggered.
  • Scan HTTP response bodies from /core/authorize.php for a regex pattern matching a filesystem path ending in 'settings.php' (e.g. r'(/.*?settings\.php)') to extract the disclosed server path.
  • The vulnerability is exploitable with a plain unauthenticated GET request to /core/authorize.php — no authentication or special parameters are required.
  • Shodan queries 'http.component:"drupal"' and 'cpe:"cpe:2.3:a:drupal:drupal"' can be used to identify potentially vulnerable internet-facing Drupal instances for proactive scanning.
  • ·The vulnerability triggers Full Path Disclosure even when Drupal's error logging is set to 'None', meaning standard error-suppression configuration does NOT mitigate exposure.
  • ·The root cause is hash_salt being configured as file_get_contents() referencing a non-existent file; the RuntimeException/getHashSalt error leaks the full server filesystem path in the HTTP response.

CVSS provenance

nvdv3.15.3MEDIUMCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
osv5.3MEDIUM
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.