Fluid Attacks Database

Description

Drupal Full Path Disclosure core/authorize.php in Drupal 11.x-dev allows Full Path Disclosure (even when error logging is None) if the value of hash_salt is file_get_contents of a file that does not exist.

Mitigation

Update Impact

Minimal update. May introduce new vulnerabilities or breaking changes.

Ecosystem	Package	Affected version	Patched versions
packagist	drupal/drupal	>=10.3.0 <10.3.6 \|\| >=11.0.0 <11.0.5 \|\| >=8.0.0 <10.2.9	10.3.6, 11.0.5, 10.2.9
packagist	drupal/core-recommended	>=10.3.0 <10.3.6 \|\| >=11.0.0 <11.0.5 \|\| >=8.0.0 <10.2.9	10.3.6, 11.0.5, 10.2.9
packagist	drupal/core	>=10.3.0 <10.3.6 \|\| >=11.0.0 <11.0.5 \|\| >=8.0.0 <10.2.9	10.3.6, 11.0.5, 10.2.9

Aliases

1. CVE-2024-454402. NVD-2024-454403. OSV-2024-454404. GCVE-2024-45440

References

1. https://github.com/github/advisory-database/pull/48272. https://senscybersecurity.nl/CVE-2024-45440-Explained3. https://www.drupal.org/project/drupal/issues/34577814. https://www.drupal.org/project/drupal/releases/10.2.95. https://www.drupal.org/project/drupal/releases/10.3.66. https://www.drupal.org/project/drupal/releases/11.0.57. https://www.exploit-db.com/exploits/522668. https://github.com/projectdiscovery/nuclei-templates/blob/main/http/cves/2024/CVE-2024-45440.yaml9. https://github.com/w0r1i0g1ht/CVE-2024-45440

Does your application use this vulnerable software?

During the free trial, our tools assess your application, identify vulnerabilities, and provide recommendations for their remediation.