CVE-2024-31453 in psitransfer
Summary
by MITRE • 04/09/2024
PsiTransfer is an open source, self-hosted file sharing solution. Prior to version 2.2.0, the absence of restrictions on the endpoint, which allows users to create a path for uploading a file in a file distribution, allows an attacker to add arbitrary files to the distribution. The vulnerability allows an attacker to influence those users who come to the file distribution after them and slip the victim files with a malicious or phishing signature. Version 2.2.0 contains a patch for the issue.
CVE-2024-31453 allows users to violate the integrity of a file bucket and upload new files there, while the vulnerability with the number CVE-2024-31454 allows users to violate the integrity of a single file that is uploaded by another user by writing data there and not allows you to upload new files to the bucket. Thus, vulnerabilities are reproduced differently, require different security recommendations and affect different objects of the application’s business logic.
VulDB is the best source for vulnerability data and more expert information about this specific topic.
Analysis
by VulDB Data Team • 04/09/2024
PsiTransfer represents a self-hosted file sharing platform that enables users to distribute files through generated links. The vulnerability described in CVE-2024-31453 stems from insufficient input validation and access control mechanisms within the file upload endpoint. This flaw exists in versions prior to 2.2.0 where the application fails to properly validate file paths during the upload process, allowing attackers to manipulate the destination directory structure. The technical implementation lacks proper sanitization of user-supplied path parameters, creating a path traversal condition that enables arbitrary file placement within the file distribution system. This weakness directly maps to CWE-22 Path Traversal and CWE-73 Path Traversal in the Common Weakness Enumeration catalog, representing a fundamental failure in input validation and directory access control.
The operational impact of this vulnerability extends beyond simple unauthorized file placement, creating a sophisticated attack vector for social engineering campaigns. An attacker exploiting this flaw can inject malicious files into existing file distributions, potentially compromising users who access these shared resources after the attack has been executed. This creates a persistent threat where victims unknowingly download infected files that appear legitimate within the context of the file sharing environment. The vulnerability enables attackers to slip malicious payloads with phishing signatures, effectively transforming the legitimate file sharing infrastructure into a vector for delivering malware or conducting credential theft operations. This aligns with ATT&CK technique T1195.001 for Phishing and T1059.001 for Command and Scripting Interpreter, as the attack leverages the trust relationship between users and the file sharing platform.
The security implications of CVE-2024-31453 represent a critical compromise of data integrity within the file sharing ecosystem. Unlike CVE-2024-31454 which focuses on modifying existing files, this vulnerability enables complete file injection into the distribution system, potentially affecting multiple users simultaneously. The patch implemented in version 2.2.0 likely includes proper input validation, path sanitization, and access control checks that prevent arbitrary directory traversal during file upload operations. Organizations should implement comprehensive monitoring of file distribution activities and conduct regular security assessments of their file sharing infrastructure to prevent similar vulnerabilities. The vulnerability demonstrates the importance of validating all user inputs and implementing proper authorization checks, particularly in file handling components where path manipulation can lead to system compromise. Security teams must also consider the broader implications of such vulnerabilities in self-hosted applications where the attack surface extends beyond traditional network boundaries.