CVE-2024-23756 – This vulnerability allows unauthenticated attac... (How to Fix)

Q: What is the severity of CVE-2024-23756?

CVE-2024-23756 has a CVSS score of 7.5 (HIGH). This vulnerability allows unauthenticated attackers to use HTTP PUT and DELETE methods in Plone Docker version 5.2.13, enabling them to upload malicious files or delete existing files on the server. It affects systems running the official Plone Docker image version 5.2.13 (build 5221).

📋 TL;DR

This vulnerability allows unauthenticated attackers to use HTTP PUT and DELETE methods in Plone Docker version 5.2.13, enabling them to upload malicious files or delete existing files on the server. It affects systems running the official Plone Docker image version 5.2.13 (build 5221).

💻 Affected Systems

Products:

Plone CMS

Versions: Docker version 5.2.13 (build 5221)

Operating Systems: Any OS running Docker

Default Config Vulnerable: ⚠️ Yes

Notes: Only affects the official Docker image version 5.2.13; other Plone installations may not be vulnerable.

📦 What is this software?

Plone by Plone

View all CVEs affecting Plone →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete server compromise through remote code execution via uploaded malicious files, data destruction through file deletion, or website defacement.

🟠

Likely Case

Unauthorized file upload leading to webshell deployment, data exfiltration, or denial of service through file deletion.

🟢

If Mitigated

Limited impact if proper network segmentation and access controls prevent external access to vulnerable instances.

🌐 Internet-Facing: HIGH - Unauthenticated exploitation allows direct attack from the internet.

🏢 Internal Only: MEDIUM - Internal attackers could still exploit, but requires network access.

🎯 Exploit Status

Public PoC: ⚠️ Yes

Weaponized: LIKELY

Unauthenticated Exploit: ⚠️ Yes

Complexity: LOW

Simple HTTP requests with PUT/DELETE methods can exploit this vulnerability without authentication.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Update to Plone Docker version 5.2.14 or later

Vendor Advisory: https://plone.org/security/advisories

Restart Required: Yes

Instructions:

1. Stop the vulnerable container. 2. Pull the updated image: docker pull plone:5.2.14. 3. Deploy the new container with your configuration.

🔧 Temporary Workarounds

Disable HTTP PUT/DELETE methods

all

Configure web server or reverse proxy to block PUT and DELETE HTTP methods

# For nginx: add 'limit_except GET POST { deny all; }' to location block
# For Apache: use 'LimitExcept GET POST' directive

Implement authentication requirement

all

Require authentication for all HTTP methods including PUT and DELETE

# Configure Plone security to require authentication for all methods

🧯 If You Can't Patch

Isolate vulnerable instances behind a WAF or reverse proxy that blocks PUT/DELETE methods
Implement strict network access controls to limit exposure to trusted sources only

🔍 How to Verify

Check if Vulnerable:

Test if HTTP PUT or DELETE methods are accepted without authentication: curl -X PUT http://target/ or curl -X DELETE http://target/

Check Version:

docker inspect plone_container | grep -i version

Verify Fix Applied:

After patching, verify PUT and DELETE methods are rejected or require authentication using the same curl commands.

📡 Detection & Monitoring

Log Indicators:

HTTP 200/201 responses to PUT requests
HTTP 200/204 responses to DELETE requests
Unauthenticated file upload attempts

Network Indicators:

HTTP PUT/DELETE requests to Plone endpoints
Unusual file upload patterns

SIEM Query:

http.method IN ("PUT", "DELETE") AND http.url CONTAINS "plone" AND NOT auth.success

📊 Metadata

CVE ID: CVE-2024-23756

CVSS v3 Score: 7.5 (HIGH)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N

Published: February 8, 2024

Last Updated: May 15, 2025

🔗 References

https://github.com/c0d3x27/CVEs/tree/main/CVE-2024-23756 Exploit,Third Party Advisory
https://github.com/c0d3x27/CVEs/tree/main/CVE-2024-23756 Exploit,Third Party Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON