DIVD-2024-00031 - Unauthenticated Local File Inclusion vulnerability in ComfortKey
| Our reference | DIVD-2024-00031 |
| Case lead | Alwin Warringa |
| Author | Victor Pasman |
| Researcher(s) | |
| CVE(s) | |
| Products |
|
| Versions |
|
| Recommendation | Check for the patched versions and get those installed |
| Patch status | Released |
| Workaround | N/A |
| Status | Open |
| Last modified | 07 Aug 2024 20:04 CEST |
Summary
A Local File Inclusion vulnerability has been found in ComfortKey, a product of Celsius Benelux. Using this vulnerability, an unauthenticated attacker may retrieve sensitive information about the underlying system.
Recommendations
Comfort Key released patched version 24.1.2. Please update to this version number or higher if possible.
Mitigation
N/A
What we are doing
DIVD is currently working to identify parties that are running a vulnerable version of Geoserver and to notify these parties. We do this by verifying the presence of the vulnerability in a harmless manner and collect the software version number if possible.
Timeline
| Date | Description |
|---|---|
| 02 Jul 2024 | DIVD contacted the vendor to disclose the vulnerability. |
| 04 Jul 2024 | Supplier created/delivered beta version for retesting. |
| 05 Jul 2024 | Patch was verified, vulnerability was resolved. |
| 05 Aug 2024 | First version of this casefile. |
gantt
title DIVD-2024-00031 - Unauthenticated Local File Inclusion vulnerability in ComfortKey
dateFormat YYYY-MM-DD
axisFormat %e %b %Y
section Case
DIVD-2024-00031 - Unauthenticated Local File Inclusion vulnerability in ComfortKey (still open) :2024-08-05, 2024-11-28
section Events
DIVD contacted the vendor to disclose the vulnerability. : milestone, 2024-07-02, 0d
Supplier created/delivered beta version for retesting. : milestone, 2024-07-04, 0d
Patch was verified, vulnerability was resolved. : milestone, 2024-07-05, 0d
First version of this casefile. : milestone, 2024-08-05, 0d