CVE-2024-39915 – This vulnerability allows authenticated users w... (How to Fix)

Q: What is the severity of CVE-2024-39915?

CVE-2024-39915 has a CVSS score of 9.9 (CRITICAL). This vulnerability allows authenticated users with access to Thruk's reporting functionality to execute arbitrary commands on the server via URL parameter injection during PDF report generation. The attack requires valid credentials but can lead to full system compromise. All Thruk users with reporting access are affected.

📋 TL;DR

This vulnerability allows authenticated users with access to Thruk's reporting functionality to execute arbitrary commands on the server via URL parameter injection during PDF report generation. The attack requires valid credentials but can lead to full system compromise. All Thruk users with reporting access are affected.

💻 Affected Systems

Products:

Thruk

Versions: All versions before 3.16

Operating Systems: All platforms running Thruk

Default Config Vulnerable: ⚠️ Yes

Notes: Requires authenticated user with access to reporting functionality. Network access to Thruk web interface is needed.

⚠️ Manual Verification Required

This CVE does not have specific version information in our database, so automatic vulnerability detection cannot determine if your system is affected.

Why? The CVE database entry doesn't specify which versions are vulnerable (no version ranges provided by the vendor/NVD).

🔒 Custom verification scripts are available for registered users. Sign up free to download automated test scripts.

Recommended Actions:

Review the CVE details at NVD
Check vendor security advisories for your specific version
Test if the vulnerability is exploitable in your environment
Consider updating to the latest version as a precaution

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete server takeover with lateral movement to other systems, data exfiltration, and persistent backdoor installation.

🟠

Likely Case

Unauthorized command execution leading to service disruption, configuration changes, or credential theft.

🟢

If Mitigated

Limited impact due to network segmentation, minimal user privileges, and proper monitoring catching exploitation attempts.

🌐 Internet-Facing: HIGH

🏢 Internal Only: HIGH

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: LIKELY

Unauthenticated Exploit: ✅ No

Complexity: LOW

Exploitation requires authenticated access but is straightforward via URL parameter manipulation. The vulnerability is in the html2pdf.sh script.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 3.16

Vendor Advisory: https://github.com/sni/Thruk/security/advisories/GHSA-r7gx-h738-4w6f

Restart Required: Yes

Instructions:

1. Backup current configuration. 2. Stop Thruk service. 3. Upgrade to Thruk version 3.16 or later. 4. Restart Thruk service. 5. Verify functionality.

🧯 If You Can't Patch

Restrict access to reporting functionality to only essential users
Implement network segmentation to isolate Thruk servers from critical systems

🔍 How to Verify

Check if Vulnerable:

Check Thruk version via web interface or command line. Versions below 3.16 are vulnerable.

Check Version:

thruk --version

Verify Fix Applied:

Verify Thruk version is 3.16 or higher and test PDF report generation functionality.

📡 Detection & Monitoring

Log Indicators:

Unusual PDF generation requests
Suspicious commands in URL parameters
Unexpected shell script executions from html2pdf.sh

Network Indicators:

Multiple PDF generation requests from single user
Unusual outbound connections from Thruk server

SIEM Query:

source="thruk.log" AND ("pdf" OR "report") AND (url_contains(";") OR url_contains("|") OR url_contains("$"))

📊 Metadata

CVE ID: CVE-2024-39915

CVSS v3 Score: 9.9 (CRITICAL)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H

CWE: CWE-94

Published: July 15, 2024

Last Updated: November 21, 2024

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2024-39915, you might also want to check these: