CVE-2024-52297
📋 TL;DR
Tolgee localization platform versions 3.81.1 and earlier expose all configuration properties publicly through PublicConfigurationDTO, allowing unauthenticated users to access sensitive configuration data. This affects all deployments using vulnerable versions. The vulnerability enables information disclosure that could facilitate further attacks.
💻 Affected Systems
- Tolgee
📦 What is this software?
Tolgee by Tolgee
⚠️ Risk & Real-World Impact
Worst Case
Attackers obtain sensitive configuration data (API keys, database credentials, internal endpoints) leading to complete system compromise, data exfiltration, or lateral movement within the infrastructure.
Likely Case
Unauthenticated users access configuration details that reveal system architecture, internal endpoints, or partial credentials, enabling reconnaissance for follow-up attacks.
If Mitigated
With proper network segmentation and access controls, impact is limited to information disclosure about the Tolgee instance itself.
🎯 Exploit Status
Exploitation requires only HTTP access to the vulnerable endpoint; no authentication or special tools needed.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 3.81.2
Vendor Advisory: https://github.com/tolgee/tolgee-platform/security/advisories/GHSA-3wr3-889v-pgcj
Restart Required: Yes
Instructions:
1. Backup current configuration and data. 2. Stop Tolgee service. 3. Update to version 3.81.2 or later via package manager or manual installation. 4. Restart Tolgee service. 5. Verify the fix by checking the version and testing the endpoint.
🔧 Temporary Workarounds
Network Access Restriction
linuxRestrict network access to Tolgee instance using firewall rules or network policies
iptables -A INPUT -p tcp --dport <tolgee_port> -s <trusted_ips> -j ACCEPT
iptables -A INPUT -p tcp --dport <tolgee_port> -j DROP
🧯 If You Can't Patch
- Implement strict network access controls to limit Tolgee exposure to trusted networks only
- Deploy a reverse proxy or WAF with request filtering to block access to sensitive endpoints
🔍 How to Verify
Check if Vulnerable:
Access the PublicConfigurationDTO endpoint (typically /api/public/configuration) and check if it returns full configuration data including sensitive propertiesCheck Version:
Check Tolgee version in web interface or via API endpoint /api/public/configurationVerify Fix Applied:
After patching, access the same endpoint and verify only non-sensitive configuration properties are returned📡 Detection & Monitoring
Log Indicators:
- Unusual access patterns to /api/public/configuration endpoint
- Multiple requests from single IP to configuration endpoints
Network Indicators:
- HTTP GET requests to /api/public/configuration from untrusted sources
- Traffic spikes to configuration endpoints
SIEM Query:
source="tolgee" AND (uri_path="/api/public/configuration" OR endpoint="configuration")