CVE-2024-50334
published 2024-10-29CVE-2024-50334: Scoold is a Q&A and a knowledge sharing platform for teams. A semicolon path injection vulnerability was found on the /api;/config endpoint. By appending a…
PriorityP180medium5.3CVSS 3.1
AVNACLPRNUINSUCLINAN
ITWEXPLOITVulnCheck KEV
Exploited in the wild
EPSS
1.01%
58.7th percentile
Scoold is a Q&A and a knowledge sharing platform for teams. A semicolon path injection vulnerability was found on the /api;/config endpoint. By appending a semicolon in the URL, attackers can bypass authentication and gain unauthorised access to sensitive configuration data. Furthermore, PUT requests on the /api;/config endpoint while setting the Content-Type: application/hocon header allow unauthenticated attackers to file reading via HOCON file inclusion. This allows attackers to retrieve sensitive information such as configuration files from the server, which can be leveraged for further exploitation. The vulnerability has been fixed in Scoold 1.64.0. A workaround would be to disable the Scoold API with scoold.api_enabled = false.
Affected
2 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| erudika | scoold | < 1.64.0 | 1.64.0 |
| erudika | scoold | <= 1.64.0 | — |
Detection & IOCsextracted from sources · hover to see the quote
otherscoold.app_name
otherhtml:"scoold-wrapper"
commandPUT /api;/config HTTP/1.1
Host: {{Hostname}}
Content-Type: application/hocon
- →Detect authentication bypass attempts by monitoring HTTP requests to paths containing '/api;/config' — the semicolon path injection bypasses authentication on the Scoold API endpoint. ↗
- →Alert on PUT requests to '/api;/config' with 'Content-Type: application/hocon' header from unauthenticated sources, indicating HOCON file inclusion exploitation. ↗
- →Successful exploitation returns HTTP 200 with a JSON body containing 'scoold.app_name' and Content-Type 'application/json' — use this as a confirmation matcher.
- →Use Shodan query 'html:"scoold-wrapper"' to identify exposed Scoold instances potentially vulnerable to this CVE.
- ·The vulnerability only exists when the Scoold API is enabled. Disabling it via configuration mitigates the issue entirely. ↗
- ·The vulnerability affects Scoold versions prior to 1.64.0; patched instances running 1.64.0 or later are not affected. ↗
CVSS provenance
nvdv3.15.3MEDIUMCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
nvdv4.08.7HIGHCVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
vulncheck8.7HIGH
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
No detection rules found.
Nuclei
Scoold < 1.64.0 - Authentication Bypass
nuclei·CVSS 8.7
CVE-2024-50334 [HIGH] Scoold < 1.64.0 - Authentication Bypass
Scoold < 1.64.0 - Authentication Bypass
Scoold is a Q&A and a knowledge sharing platform for teams. A semicolon path injection vulnerability was found on the /api;/config endpoint. By appending a semicolon in the URL, attackers can bypass authentication and gain unauthorised access to sensitive configuration data. Furthermore, PUT requests on the /api;/config endpoint while setting the Content-Type- application/hocon header allow unauthenticated attackers to file reading via HOCON file inclusion. This allows attackers to retrieve sensitive information such as configuration files from the server, which can be leveraged for further exploitation. The vulnerability has been fixed in Scoold 1.64.0. A workaround would be to disable the Scoold API with scoold.api_enabled = false.
Template:
id:
No writeups or analysis indexed.
2024-10-29
Published
Exploited in the wild