CVE-2024-31214
📋 TL;DR
Traccar GPS tracking system versions 5.1 through 5.12 contain an unrestricted file upload vulnerability in the device image upload API. Attackers can upload arbitrary files with controlled content, names, and extensions to any location on the file system, potentially leading to remote code execution, cross-site scripting, or denial of service. All users running affected versions with default configurations are vulnerable.
💻 Affected Systems
- Traccar GPS Tracking System
📦 What is this software?
Traccar by Traccar
⚠️ Risk & Real-World Impact
Worst Case
Remote code execution with root/system privileges leading to complete system compromise, data theft, and persistent backdoor installation.
Likely Case
Remote code execution leading to web shell deployment, data exfiltration, or system disruption.
If Mitigated
Limited impact with proper file upload restrictions and non-privileged execution context.
🎯 Exploit Status
Self-registration enabled by default allows unauthenticated exploitation. File upload API provides full control over file parameters.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 6.0
Vendor Advisory: https://github.com/traccar/traccar/security/advisories/GHSA-3gxq-f2qj-c8v9
Restart Required: Yes
Instructions:
1. Backup your Traccar configuration and data. 2. Stop the Traccar service. 3. Upgrade to Traccar version 6.0 or later. 4. Restart the Traccar service. 5. Verify the upgrade was successful.
🔧 Temporary Workarounds
Disable Self-Registration
allPrevents unauthenticated users from creating accounts to exploit the vulnerability.
Edit traccar.xml configuration file and set <entry key='web.registration'>false</entry>
Run Traccar with Non-Privileged User
linuxLimits file system access to prevent writing to sensitive locations.
Create dedicated user: sudo useradd -r -s /bin/false traccar
Change ownership: sudo chown -R traccar:traccar /opt/traccar
Update service configuration to run as traccar user
🧯 If You Can't Patch
- Disable self-registration immediately to prevent unauthenticated exploitation
- Implement web application firewall rules to block suspicious file upload requests
- Monitor file system for unexpected file creations in Traccar directories
- Restrict network access to Traccar instances to trusted sources only
🔍 How to Verify
Check if Vulnerable:
Check Traccar version in web interface or configuration files. Versions 5.1 through 5.12 are vulnerable.Check Version:
Check web interface or grep version from traccar.xml: grep -i version /opt/traccar/conf/traccar.xmlVerify Fix Applied:
Verify Traccar version is 6.0 or later. Test file upload functionality with malicious file extensions.📡 Detection & Monitoring
Log Indicators:
- Multiple failed authentication attempts followed by successful registration
- File upload requests with unusual file extensions (.php, .jsp, .sh)
- Files created in unexpected directories
Network Indicators:
- POST requests to /api/device/*/image endpoint with file uploads
- Unusual outbound connections from Traccar server
SIEM Query:
source="traccar" AND (uri_path="/api/device/*/image" OR method="POST") AND (file_extension="php" OR file_extension="jsp" OR file_extension="sh")🔗 References
- https://github.com/traccar/traccar/blob/master/src/main/java/org/traccar/model/Device.java#L56
- https://github.com/traccar/traccar/blob/v5.12/src/main/java/org/traccar/api/resource/DeviceResource.java#L191
- https://github.com/traccar/traccar/commit/3fbdcd81566bc72e319ec05c77cf8a4120b87b8f
- https://github.com/traccar/traccar/security/advisories/GHSA-3gxq-f2qj-c8v9
- https://github.com/traccar/traccar/blob/master/src/main/java/org/traccar/model/Device.java#L56
- https://github.com/traccar/traccar/blob/v5.12/src/main/java/org/traccar/api/resource/DeviceResource.java#L191
- https://github.com/traccar/traccar/commit/3fbdcd81566bc72e319ec05c77cf8a4120b87b8f
- https://github.com/traccar/traccar/security/advisories/GHSA-3gxq-f2qj-c8v9
