CVE-2024-29640
📋 TL;DR
A remote code execution vulnerability in aliyundrive-webdav versions 2.3.3 and earlier allows attackers to execute arbitrary commands on affected systems by sending a crafted payload to the sid parameter in the action_query_qrcode component. This affects all users running vulnerable versions of aliyundrive-webdav software.
💻 Affected Systems
- aliyundrive-webdav
⚠️ Manual Verification Required
This CVE does not have specific version information in our database, so automatic vulnerability detection cannot determine if your system is affected.
Why? The CVE database entry doesn't specify which versions are vulnerable (no version ranges provided by the vendor/NVD).
🔒 Custom verification scripts are available for registered users. Sign up free to download automated test scripts.
- Review the CVE details at NVD
- Check vendor security advisories for your specific version
- Test if the vulnerability is exploitable in your environment
- Consider updating to the latest version as a precaution
⚠️ Risk & Real-World Impact
Worst Case
Complete system compromise with attacker gaining full control over the server, allowing data theft, lateral movement, and persistent backdoor installation.
Likely Case
Remote attacker executes arbitrary commands with web server privileges, potentially accessing sensitive files, modifying configurations, or deploying malware.
If Mitigated
If properly segmented and monitored, impact limited to the webdav service container with no lateral movement to other systems.
🎯 Exploit Status
Public proof-of-concept available in GitHub repository; exploitation requires minimal technical skill.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: v2.3.4 or later
Vendor Advisory: https://github.com/messense/aliyundrive-webdav
Restart Required: Yes
Instructions:
1. Stop aliyundrive-webdav service. 2. Update to v2.3.4 or later using package manager or manual download. 3. Restart the service.
🔧 Temporary Workarounds
Disable vulnerable component
allDisable or block access to the action_query_qrcode endpoint if not required
# Configure web server to block /action_query_qrcode requests
# Example nginx: location ~ /action_query_qrcode { deny all; }
Network segmentation
linuxRestrict network access to aliyundrive-webdav service
# Example iptables rule: iptables -A INPUT -p tcp --dport [webdav-port] -s [trusted-ips] -j ACCEPT
iptables -A INPUT -p tcp --dport [webdav-port] -j DROP
🧯 If You Can't Patch
- Immediately isolate affected systems from internet and critical networks
- Implement strict network access controls and monitor for exploitation attempts
🔍 How to Verify
Check if Vulnerable:
Check aliyundrive-webdav version; if version is 2.3.3 or earlier, system is vulnerable.Check Version:
aliyundrive-webdav --versionVerify Fix Applied:
Confirm version is 2.3.4 or later and test that action_query_qrcode endpoint properly validates input.📡 Detection & Monitoring
Log Indicators:
- Unusual POST requests to /action_query_qrcode
- Suspicious command execution in web server logs
- Unexpected process spawns from webdav service
Network Indicators:
- HTTP requests with crafted payloads in sid parameter
- Outbound connections from webdav service to unexpected destinations
SIEM Query:
source="webdav-logs" AND (uri="/action_query_qrcode" OR message="sid=*")