CVE-2024-47056
📋 TL;DR
This vulnerability allows unauthenticated attackers to directly access Mautic's .env configuration files via web browser, exposing sensitive information like database credentials and API keys. It affects Mautic installations with misconfigured web servers that don't properly restrict access to .env files.
💻 Affected Systems
- Mautic
⚠️ Manual Verification Required
This CVE does not have specific version information in our database, so automatic vulnerability detection cannot determine if your system is affected.
Why? The CVE database entry doesn't specify which versions are vulnerable (no version ranges provided by the vendor/NVD).
🔒 Custom verification scripts are available for registered users. Sign up free to download automated test scripts.
- Review the CVE details at NVD
- Check vendor security advisories for your specific version
- Test if the vulnerability is exploitable in your environment
- Consider updating to the latest version as a precaution
⚠️ Risk & Real-World Impact
Worst Case
Full compromise of the Mautic instance including database access, API key theft, and potential lateral movement to connected systems.
Likely Case
Sensitive credential disclosure leading to unauthorized database access and potential data exfiltration.
If Mitigated
No impact if proper web server configurations are in place to block .env file access.
🎯 Exploit Status
Exploitation requires only web browser access to the .env file URL path.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: Latest Mautic version
Vendor Advisory: https://github.com/mautic/mautic/security/advisories/GHSA-h2wg-v8wg-jhxh
Restart Required: No
Instructions:
1. Update Mautic to latest version. 2. For Apache: Ensure .htaccess files are respected. 3. For Nginx: Add 'location ~ /\.env { deny all; }' to configuration and reload service.
🔧 Temporary Workarounds
Nginx Configuration Block
linuxAdds explicit denial of access to .env files in Nginx configuration
location ~ /\.env {
deny all;
}
Apache .htaccess Protection
linuxEnsures Apache respects .htaccess files that should block .env access
Ensure 'AllowOverride All' is set in Apache configuration for Mautic directory
🧯 If You Can't Patch
- Implement web server configuration to block .env file access
- Move sensitive credentials out of .env file to secure location
🔍 How to Verify
Check if Vulnerable:
Attempt to access http://your-mautic-url/.env via web browser or curlCheck Version:
Check Mautic version in admin panel or via composer show mautic/coreVerify Fix Applied:
Attempt to access .env file and verify access is denied (403 or 404 response)📡 Detection & Monitoring
Log Indicators:
- HTTP 200 responses to .env file requests
- Unusual database connection attempts from new IPs
Network Indicators:
- HTTP GET requests to /.env path
- Sudden outbound database connections
SIEM Query:
web_access_logs | where url contains ".env" and status_code = 200