{
  "id": "CVE-2024-55555",
  "sourceIdentifier": "cve@mitre.org",
  "published": "2025-01-07T17:15:30.503",
  "lastModified": "2025-01-07T20:15:30.430",
  "vulnStatus": "Awaiting Analysis",
  "cveTags": [],
  "descriptions": [
    {
      "lang": "en",
      "value": "Invoice Ninja before 5.10.43 allows remote code execution from a pre-authenticated route when an attacker knows the APP_KEY. This is exacerbated by .env files, available from the product's repository, that have default APP_KEY values. The route/{hash} route defined in the invoiceninja/routes/client.php file can be accessed without authentication. The parameter {hash} is passed to the function decrypt that expects a Laravel ciphered value containing a serialized object. (Furthermore, Laravel contains several gadget chains usable to trigger remote command execution from arbitrary deserialization.) Therefore, an attacker in possession of the APP_KEY is able to fully control a string passed to an unserialize function."
    },
    {
      "lang": "es",
      "value": "Invoice Ninja anterior a la versi\u00f3n 5.10.43 permite la ejecuci\u00f3n remota de c\u00f3digo desde una ruta autenticada previamente cuando un atacante conoce la APP_KEY. Esto se ve agravado por los archivos .env, disponibles en el repositorio del producto, que tienen valores APP_KEY predeterminados. Se puede acceder a la ruta route/{hash} definida en el archivo invoiceninja/routes/client.php sin autenticaci\u00f3n. El par\u00e1metro {hash} se pasa a la funci\u00f3n decrypt que espera un valor cifrado de Laravel que contiene un objeto serializado. (Adem\u00e1s, Laravel contiene varias cadenas de gadgets que se pueden utilizar para activar la ejecuci\u00f3n remota de comandos a partir de una deserializaci\u00f3n arbitraria). Por lo tanto, un atacante en posesi\u00f3n de la APP_KEY puede controlar por completo una cadena que se pasa a una funci\u00f3n unserialize."
    }
  ],
  "metrics": {
    "cvssMetricV31": [
      {
        "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
        "type": "Secondary",
        "cvssData": {
          "version": "3.1",
          "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
          "baseScore": 8.8,
          "baseSeverity": "HIGH",
          "attackVector": "NETWORK",
          "attackComplexity": "LOW",
          "privilegesRequired": "LOW",
          "userInteraction": "NONE",
          "scope": "UNCHANGED",
          "confidentialityImpact": "HIGH",
          "integrityImpact": "HIGH",
          "availabilityImpact": "HIGH"
        },
        "exploitabilityScore": 2.8,
        "impactScore": 5.9
      }
    ]
  },
  "weaknesses": [
    {
      "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
      "type": "Secondary",
      "description": [
        {
          "lang": "en",
          "value": "CWE-502"
        }
      ]
    }
  ],
  "references": [
    {
      "url": "https://github.com/invoiceninja/invoiceninja/commit/d9302021472c3e7e23bac8c3d5fbec57a5f38f0c",
      "source": "cve@mitre.org"
    },
    {
      "url": "https://www.synacktiv.com/advisories/invoiceninja-unauthenticated-remote-command-execution-when-appkey-known",
      "source": "cve@mitre.org"
    }
  ]
}