CVE-2024-55075
📋 TL;DR
This vulnerability in Grocy allows remote attackers to access sensitive information by directly requesting pages not visible in the user interface, such as calendar and recipe pages. It affects all Grocy instances up to version 4.3.0 that are exposed to untrusted networks. Attackers can exploit this without authentication to view potentially confidential data.
💻 Affected Systems
- Grocy
📦 What is this software?
Grocy by Grocy Project
⚠️ Risk & Real-World Impact
Worst Case
Attackers obtain sensitive personal or operational data including recipes, calendar events, and other information not intended for public viewing, potentially leading to privacy violations or operational intelligence gathering.
Likely Case
Unauthenticated users access calendar and recipe pages containing personal or household information that should be protected.
If Mitigated
With proper network segmentation and authentication controls, impact is limited to authorized users only accessing their intended data.
🎯 Exploit Status
Exploitation requires only direct HTTP requests to specific endpoints not visible in UI.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 4.3.1 or later
Vendor Advisory: https://github.com/grocy/grocy/releases
Restart Required: Yes
Instructions:
1. Backup your Grocy installation and database
2. Download latest version from GitHub releases
3. Replace existing files with new version
4. Restart web server service
🔧 Temporary Workarounds
Web Server Access Control
allConfigure web server to restrict access to vulnerable endpoints
# Apache: Add to .htaccess or virtual host config
RewriteRule ^/(calendar|recipes) - [F]
# Nginx: Add to server block
location ~ ^/(calendar|recipes) { return 403; }
Network Segmentation
linuxRestrict Grocy access to trusted networks only
# Firewall rule example (iptables)
iptables -A INPUT -p tcp --dport 80 -s TRUSTED_NETWORK -j ACCEPT
iptables -A INPUT -p tcp --dport 443 -s TRUSTED_NETWORK -j ACCEPT
iptables -A INPUT -p tcp --dport 80 -j DROP
iptables -A INPUT -p tcp --dport 443 -j DROP
🧯 If You Can't Patch
- Implement strict network access controls to limit Grocy access to trusted users only
- Deploy web application firewall rules to block requests to /calendar and /recipes endpoints
🔍 How to Verify
Check if Vulnerable:
Attempt to access http://GROCY_URL/calendar or http://GROCY_URL/recipes without authentication. If pages load, system is vulnerable.Check Version:
Check Grocy version in web interface footer or via /api/system/info endpointVerify Fix Applied:
After patching, attempt same requests. Should receive 403/404 error or redirect to login.📡 Detection & Monitoring
Log Indicators:
- HTTP 200 responses to /calendar or /recipes endpoints from unauthenticated IPs
- Unusual access patterns to these endpoints
Network Indicators:
- HTTP GET requests to /calendar or /recipes paths from external IPs
SIEM Query:
source="web_server_logs" AND (uri_path="/calendar" OR uri_path="/recipes") AND status=200 AND NOT user_agent="*bot*"