CVE-2024-27105
📋 TL;DR
This vulnerability allows less privileged users to bypass file permission controls in Frappe framework, enabling them to delete or clone files they shouldn't have access to. It affects all Frappe installations running versions before 14.66.3 or 15.16.0. The issue stems from improper authorization checks in certain endpoints.
💻 Affected Systems
- Frappe Framework
📦 What is this software?
Frappe by Frappe
Frappe by Frappe
⚠️ Risk & Real-World Impact
Worst Case
Unauthorized users could delete critical system files, clone sensitive documents, or manipulate business data, potentially causing data loss, service disruption, or data exfiltration.
Likely Case
Internal users with limited permissions could access and manipulate files beyond their intended scope, leading to data integrity issues or unauthorized information access.
If Mitigated
With proper network segmentation and minimal user privileges, impact would be limited to specific file operations within the application's scope.
🎯 Exploit Status
Exploitation requires authenticated access but with lower privileges than intended for file operations. The advisory provides technical details but no public exploit code.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 14.66.3 or 15.16.0
Vendor Advisory: https://github.com/frappe/frappe/security/advisories/GHSA-hq5v-q29v-7rcw
Restart Required: Yes
Instructions:
1. Identify your Frappe version. 2. For version 14.x: Upgrade to 14.66.3 or later. 3. For version 15.x: Upgrade to 15.16.0 or later. 4. Restart the Frappe application server. 5. Verify the patch is applied.
🔧 Temporary Workarounds
No official workarounds
allThe vendor advisory states no known workarounds are available. Patching is the only mitigation.
🧯 If You Can't Patch
- Implement strict network segmentation to isolate Frappe instances from sensitive systems
- Apply principle of least privilege to all user accounts and regularly audit file permissions
🔍 How to Verify
Check if Vulnerable:
Check Frappe version via bench version command or inspect the frappe/__init__.py file for version numberCheck Version:
bench versionVerify Fix Applied:
Verify version is 14.66.3+ or 15.16.0+ and test file permission controls with low-privilege users📡 Detection & Monitoring
Log Indicators:
- Unusual file deletion or cloning activities from low-privilege users
- Access to file management endpoints by unauthorized users
Network Indicators:
- HTTP requests to file-related endpoints from unexpected user accounts
SIEM Query:
source="frappe_logs" AND (event="file_delete" OR event="file_clone") AND user_role="low_privilege"