CVE-2024-54449
📋 TL;DR
This vulnerability allows authenticated attackers with document read/write privileges to write arbitrary files to any location on the LogicalDOC server's file system, potentially leading to remote code execution. The flaw exists in two API endpoints that handle document interactions. Organizations running vulnerable versions of LogicalDOC are affected.
💻 Affected Systems
- LogicalDOC
📦 What is this software?
Logicaldoc by Logicaldoc
Logicaldoc by Logicaldoc
⚠️ Risk & Real-World Impact
Worst Case
Full system compromise with attacker gaining complete control over the web server, allowing data theft, lateral movement, and persistent backdoor installation.
Likely Case
Attackers upload malicious files to execute commands, potentially stealing sensitive documents, installing malware, or using the server for further attacks.
If Mitigated
With proper network segmentation and least privilege access, impact could be limited to the application server only.
🎯 Exploit Status
Requires authenticated access and knowledge of vulnerable endpoints
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 9.5.4
Vendor Advisory: https://www.logicaldoc.com/download-logicaldoc
Restart Required: No
Instructions:
1. Backup your LogicalDOC installation and database. 2. Download LogicalDOC 9.5.4 or later from the official website. 3. Follow the upgrade instructions in the documentation. 4. Verify the upgrade completed successfully.
🔧 Temporary Workarounds
Restrict API Access
allImplement network-level restrictions to limit access to the vulnerable API endpoints
File System Permissions
allSet strict file system permissions to prevent writing outside designated directories
🧯 If You Can't Patch
- Implement strict access controls and limit document read/write privileges to essential users only
- Deploy web application firewall rules to detect and block suspicious file write attempts
🔍 How to Verify
Check if Vulnerable:
Check LogicalDOC version in administration panel or by examining installation filesCheck Version:
Check admin panel or examine logicaldoc/WEB-INF/classes/version.propertiesVerify Fix Applied:
Verify version is 9.5.4 or later and test API endpoints for path traversal📡 Detection & Monitoring
Log Indicators:
- Unusual file write operations via API
- Multiple failed authentication attempts followed by successful API calls
- Suspicious file paths in API requests
Network Indicators:
- Unusual patterns in API requests to document endpoints
- Requests attempting path traversal sequences
SIEM Query:
source="logicaldoc" AND (event="FILE_WRITE" OR api_endpoint="*/document/*") AND (path CONTAINS ".." OR path CONTAINS "/etc/" OR path CONTAINS "/root/")