CVE-2024-55076
📋 TL;DR
Grocy versions through 4.3.0 lack Cross-Site Request Forgery (CSRF) protection, allowing attackers to trick authenticated users into performing unintended actions. This vulnerability enables attackers to change administrator passwords and potentially take full control of the application. All Grocy installations up to version 4.3.0 are affected.
💻 Affected Systems
- Grocy
📦 What is this software?
Grocy by Grocy Project
⚠️ Risk & Real-World Impact
Worst Case
Complete system takeover where an attacker changes the administrator password, gains full administrative access, and can modify all data, user accounts, and system settings.
Likely Case
Account compromise where attackers change administrator or user passwords, leading to unauthorized access, data manipulation, or service disruption.
If Mitigated
Limited impact with proper network segmentation and access controls, though CSRF attacks could still succeed against authenticated users.
🎯 Exploit Status
Exploitation requires the victim to be authenticated and visit a malicious website or click a crafted link. The attack leverages the lack of CSRF tokens on sensitive actions.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 4.3.1 or later
Vendor Advisory: https://github.com/grocy/grocy/releases
Restart Required: No
Instructions:
1. Backup your Grocy installation and database. 2. Download the latest version from GitHub releases. 3. Replace the existing files with the patched version. 4. Verify the installation works correctly.
🔧 Temporary Workarounds
Implement CSRF Protection Manually
allAdd CSRF tokens to all forms and validate them server-side using middleware or custom code.
Use SameSite Cookies
allConfigure session cookies with SameSite=Strict attribute to prevent cross-site requests.
Set-Cookie: session=value; SameSite=Strict; Secure; HttpOnly
🧯 If You Can't Patch
- Implement network segmentation to isolate Grocy from untrusted networks.
- Use a web application firewall (WAF) with CSRF protection rules enabled.
🔍 How to Verify
Check if Vulnerable:
Check if your Grocy version is 4.3.0 or earlier by viewing the version in the web interface or checking the package files.Check Version:
Check the version in the web interface or examine the composer.json file for the version number.Verify Fix Applied:
Verify the version is 4.3.1 or later and test that forms include CSRF tokens (look for hidden input fields with CSRF tokens).📡 Detection & Monitoring
Log Indicators:
- Multiple failed login attempts followed by successful password change
- Unusual password change requests from unexpected IP addresses
Network Indicators:
- HTTP POST requests to password change endpoints without Referer headers or CSRF tokens
SIEM Query:
source="grocy.log" AND (event="password_change" OR event="admin_action") AND NOT referer="https://your-grocy-domain/*"