CVE-2024-46986
published 2024-09-18CVE-2024-46986: Camaleon CMS is a dynamic and advanced content management system based on Ruby on Rails. An arbitrary file write vulnerability accessible via the upload method…
PriorityP180critical9.9CVSS 3.1
AVNACLPRLUINSCCHIHAH
EXPLOIT
EPSS
35.46%
98.2th percentile
Camaleon CMS is a dynamic and advanced content management system based on Ruby on Rails. An arbitrary file write vulnerability accessible via the upload method of the MediaController allows authenticated users to write arbitrary files to any location on the web server Camaleon CMS is running on (depending on the permissions of the underlying filesystem). E.g. This can lead to a delayed remote code execution in case an attacker is able to write a Ruby file into the config/initializers/ subfolder of the Ruby on Rails application. This issue has been addressed in release version 2.8.2. Users are advised to upgrade. There are no known workarounds for this vulnerability.
Affected
3 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| camaleon_cms | camaleon_cms | >= 2.8.0 < 2.8.1 | 2.8.1 |
| owen2345 | camaleon-cms | < 2.8.2 | 2.8.2 |
| tuzitio | camaleon_cms | < 2.8.2 | 2.8.2 |
Detection & IOCsextracted from sources · hover to see the quote
- →Monitor for multipart file upload POST requests to /admin/media/upload containing a 'folder' field with path traversal sequences (e.g., '../../../') targeting sensitive Rails directories such as config/initializers/ or tmp/. ↗
- →Detect upload of .rb (Ruby) files via the MediaController upload endpoint, especially when the destination folder parameter contains directory traversal sequences pointing to config/initializers/. ↗
- →Alert on upload of a file named 'restart.txt' to the ../../../tmp/ path, which triggers a Rails application restart and causes deferred RCE from any previously written initializer. ↗
- →Use Shodan/FOFA queries to identify exposed Camaleon CMS instances for proactive asset identification. ↗
- →Detect DNS callback interactions (OOB) following a Ruby file upload to config/initializers/, which confirms RCE via the curl backtick payload pattern. ↗
- ·Exploitation requires authenticated access (low-privileged user). The vulnerability is in the 'folder' parameter of the media upload endpoint, which is not sanitized against path traversal. RCE is delayed until the Rails application restarts (triggered by writing restart.txt to tmp/). ↗
- ·RCE impact depends on filesystem permissions of the user running the Camaleon CMS process. The attack chain requires two upload requests: first to write a malicious .rb initializer, then to write restart.txt to tmp/ to trigger a reload. ↗
- ·Fixed in version 2.8.2. Versions prior to 2.8.1 are confirmed vulnerable per the Nuclei template classification. ↗
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
OSV
Camaleon CMS affected by arbitrary file write to RCE (GHSL-2024-182)
osv·2024-09-18
CVE-2024-46986 [HIGH] Camaleon CMS affected by arbitrary file write to RCE (GHSL-2024-182)
Camaleon CMS affected by arbitrary file write to RCE (GHSL-2024-182)
An arbitrary file write vulnerability accessible via the upload method of the MediaController allows authenticated users to write arbitrary files to any location on the web server Camaleon CMS is running on (depending on the permissions of the underlying filesystem). E.g. This can lead to a delayed remote code execution in case an attacker is able to write a Ruby file into the config/initializers/ subfolder of the Ruby on Rails application.
Once a user upload is started via the [upload](https://github.com/owen2345/camaleon-cms/blob/feccb96e542319ed608acd3a16fa5d92f13ede67/app/controllers/camaleon_cms/admin/media_controller.rb#L86-L87) method, the file_upload and the folder parameter
```ruby
def upload(settings = {})
par
GHSA
Camaleon CMS affected by arbitrary file write to RCE (GHSL-2024-182)
ghsa·2024-09-18
CVE-2024-46986 [HIGH] CWE-22 Camaleon CMS affected by arbitrary file write to RCE (GHSL-2024-182)
Camaleon CMS affected by arbitrary file write to RCE (GHSL-2024-182)
An arbitrary file write vulnerability accessible via the upload method of the MediaController allows authenticated users to write arbitrary files to any location on the web server Camaleon CMS is running on (depending on the permissions of the underlying filesystem). E.g. This can lead to a delayed remote code execution in case an attacker is able to write a Ruby file into the config/initializers/ subfolder of the Ruby on Rails application.
Once a user upload is started via the [upload](https://github.com/owen2345/camaleon-cms/blob/feccb96e542319ed608acd3a16fa5d92f13ede67/app/controllers/camaleon_cms/admin/media_controller.rb#L86-L87) method, the file_upload and the folder parameter
```ruby
def upload(settings = {})
par
No detection rules found.
Nuclei
Camaleon CMS < 2.8.1 Arbitrary File Write to RCE
nuclei·CVSS 9.9
CVE-2024-46986 [CRITICAL] Camaleon CMS < 2.8.1 Arbitrary File Write to RCE
Camaleon CMS < 2.8.1 Arbitrary File Write to RCE
An arbitrary file write vulnerability accessible via the upload method of the MediaController allows authenticated users to write arbitrary files to any location on the web server Camaleon CMS is running on (depending on the permissions of the underlying filesystem). E.g. This can lead to a remote code execution in case an attacker is able to write a Ruby file into the config/initializers/ subfolder of the Ruby on Rails application
Template:
id: CVE-2024-46986
info:
name: Camaleon CMS < 2.8.1 Arbitrary File Write to RCE
author: iamnoooob,rootxharsh,pdresearch
severity: critical
description: |
An arbitrary file write vulnerability accessible via the upload method of the MediaController allows authenticated users to write arbitrary files t
No writeups or analysis indexed.
https://codeql.github.com/codeql-query-help/ruby/rb-path-injectionhttps://github.com/owen2345/camaleon-cms/security/advisories/GHSA-wmjg-vqhv-q5p5https://owasp.org/www-community/attacks/Path_Traversalhttps://securitylab.github.com/advisories/GHSL-2024-182_GHSL-2024-186_Camaleon_CMShttps://www.reddit.com/r/rails/comments/1exwtdm/camaleon_cms_281_has_been_released
2024-09-18
Published