CVE-2024-50334 – This CVE describes a semicolon path injection v... (How to Fix)

Q: What is the severity of CVE-2024-50334?

CVE-2024-50334 has a CVSS score of 5.3 (MEDIUM). This CVE describes a semicolon path injection vulnerability in Scoold's API endpoint that allows unauthenticated attackers to bypass authentication and access sensitive configuration data. Attackers can also perform file reading via HOCON file inclusion to retrieve server configuration files. All Scoold instances with the API enabled and running versions before 1.64.0 are affected.

📋 TL;DR

This CVE describes a semicolon path injection vulnerability in Scoold's API endpoint that allows unauthenticated attackers to bypass authentication and access sensitive configuration data. Attackers can also perform file reading via HOCON file inclusion to retrieve server configuration files. All Scoold instances with the API enabled and running versions before 1.64.0 are affected.

💻 Affected Systems

Products:

Scoold

Versions: All versions before 1.64.0

Operating Systems: All

Default Config Vulnerable: ⚠️ Yes

Notes: Only affects instances with scoold.api_enabled = true (default is true)

📦 What is this software?

Scoold by Erudika

View all CVEs affecting Scoold →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Attackers gain full access to server configuration files containing secrets, database credentials, API keys, and other sensitive data, leading to complete system compromise.

🟠

Likely Case

Unauthenticated attackers retrieve configuration files containing sensitive information that can be used for further attacks against the Scoold instance or related systems.

🟢

If Mitigated

With proper controls, attackers can only access limited information or the attack is blocked entirely by network controls.

🌐 Internet-Facing: HIGH

🏢 Internal Only: MEDIUM

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: LIKELY

Unauthenticated Exploit: ⚠️ Yes

Complexity: LOW

Simple HTTP request manipulation required, no authentication needed

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 1.64.0

Vendor Advisory: https://github.com/Erudika/scoold/security/advisories/GHSA-fhwp-f6g7-rr3p

Restart Required: Yes

Instructions:

1. Backup your Scoold configuration and data. 2. Stop the Scoold service. 3. Update Scoold to version 1.64.0 or later. 4. Restart the Scoold service. 5. Verify the fix by testing the vulnerable endpoints.

🔧 Temporary Workarounds

Disable Scoold API

all

Disable the vulnerable API endpoint entirely

Set scoold.api_enabled = false in your Scoold configuration file

🧯 If You Can't Patch

Implement strict network access controls to limit access to Scoold API endpoints
Deploy a WAF with rules to block requests containing semicolons in URL paths

🔍 How to Verify

Check if Vulnerable:

Test if you can access /api;/config endpoint without authentication or if PUT requests with Content-Type: application/hocon header succeed

Check Version:

Check Scoold version in web interface or application logs, or run: java -jar scoold.jar --version

Verify Fix Applied:

After patching, verify that /api;/config endpoint returns proper authentication errors or is inaccessible

📡 Detection & Monitoring

Log Indicators:

HTTP requests to /api;/config
PUT requests with Content-Type: application/hocon header
Unauthenticated access to configuration endpoints

Network Indicators:

Unusual traffic patterns to Scoold API endpoints
Requests with semicolons in URL paths

SIEM Query:

source="scoold.logs" AND (url_path="/api;/config" OR http_method="PUT" AND content_type="application/hocon")

📊 Metadata

CVE ID: CVE-2024-50334

CVSS v3 Score: 5.3 (MEDIUM)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N

CWE: CWE-288

Published: October 29, 2024

Last Updated: November 8, 2024

🔗 References

https://github.com/Erudika/scoold/security/advisories/GHSA-fhwp-f6g7-rr3p Vendor Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2024-50334, you might also want to check these: