CVE-2024-45388 – CVE-2024-45388 is a path traversal vulnerabilit... (How to Fix)

Q: What is the severity of CVE-2024-45388?

CVE-2024-45388 has a CVSS score of 7.5 (HIGH). CVE-2024-45388 is a path traversal vulnerability in Hoverfly's simulation API that allows attackers to read arbitrary files from the server filesystem. This affects all Hoverfly users who expose the vulnerable API endpoint, particularly developers and testers using Hoverfly for API simulation. The vulnerability bypasses path restrictions through directory traversal sequences.

📋 TL;DR

CVE-2024-45388 is a path traversal vulnerability in Hoverfly's simulation API that allows attackers to read arbitrary files from the server filesystem. This affects all Hoverfly users who expose the vulnerable API endpoint, particularly developers and testers using Hoverfly for API simulation. The vulnerability bypasses path restrictions through directory traversal sequences.

💻 Affected Systems

Products:

Hoverfly

Versions: All versions before v1.10.3

Operating Systems: All operating systems running Hoverfly

Default Config Vulnerable: ⚠️ Yes

Notes: Affects any Hoverfly installation with the simulation API endpoint accessible. The vulnerability exists in the default configuration.

📦 What is this software?

Hoverfly by Hoverfly

View all CVEs affecting Hoverfly →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete server compromise through reading sensitive files like SSH keys, configuration files, or credentials, potentially leading to lateral movement and data exfiltration.

🟠

Likely Case

Unauthorized access to sensitive configuration files, source code, or credential files stored on the Hoverfly server.

🟢

If Mitigated

Limited impact if proper network segmentation and file system permissions restrict access to sensitive files.

🌐 Internet-Facing: HIGH - If the Hoverfly API is exposed to the internet, attackers can remotely exploit this without authentication.

🏢 Internal Only: MEDIUM - Internal attackers or compromised internal systems could exploit this to escalate privileges or access sensitive data.

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: LIKELY

Unauthenticated Exploit: ⚠️ Yes

Complexity: LOW

Exploitation requires only HTTP POST requests to the vulnerable endpoint with crafted path traversal payloads. No authentication is required if the endpoint is exposed.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: v1.10.3

Vendor Advisory: https://github.com/SpectoLabs/hoverfly/security/advisories/GHSA-6xx4-x46f-f897

Restart Required: Yes

Instructions:

1. Download Hoverfly v1.10.3 or later from GitHub releases. 2. Stop the running Hoverfly instance. 3. Replace the binary with the patched version. 4. Restart Hoverfly service.

🔧 Temporary Workarounds

Network Access Restriction

linux

Restrict network access to Hoverfly API endpoints to trusted IP addresses only.

# Use firewall rules to restrict access
iptables -A INPUT -p tcp --dport 8500 -s TRUSTED_IP -j ACCEPT
iptables -A INPUT -p tcp --dport 8500 -j DROP

Disable Vulnerable Endpoint

all

Disable or block access to the /api/v2/simulation POST endpoint if not required.

# Use reverse proxy or application firewall to block the endpoint
location /api/v2/simulation { deny all; }

🧯 If You Can't Patch

Implement strict file system permissions to limit Hoverfly's access to sensitive files
Deploy Hoverfly in isolated containers with minimal host filesystem access

🔍 How to Verify

Check if Vulnerable:

Check if Hoverfly version is below v1.10.3 and if the /api/v2/simulation endpoint is accessible.

Check Version:

./hoverfly --version

Verify Fix Applied:

Verify Hoverfly version is v1.10.3 or later and test that path traversal attempts to the simulation endpoint are properly blocked.

📡 Detection & Monitoring

Log Indicators:

HTTP POST requests to /api/v2/simulation with ../ sequences in parameters
File access errors for unexpected paths in Hoverfly logs

Network Indicators:

Unusual file read patterns from Hoverfly server
Multiple failed attempts to access restricted paths

SIEM Query:

source="hoverfly.log" AND "POST /api/v2/simulation" AND (".." OR "%2e%2e")

📊 Metadata

CVE ID: CVE-2024-45388

CVSS v3 Score: 7.5 (HIGH)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

CWE: CWE-200

Published: September 2, 2024

Last Updated: September 19, 2024

🔗 References

https://codeql.github.com/codeql-query-help/go/go-path-injection Not Applicable
https://github.com/SpectoLabs/hoverfly/releases/tag/v1.10.3 Release Notes
https://github.com/SpectoLabs/hoverfly/security/advisories/GHSA-6xx4-x46f-f897 Exploit,Vendor Advisory
https://github.com/spectolabs/hoverfly/blob/15d6ee9ea4e0de67aec5a41c28d21dc147243da0/core/handlers/v2/simulation_handler.go#L87 Product

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2024-45388, you might also want to check these: