CVE-2024-1920: Critical Vulnerability Discovered in osuuu LightPicture up to 1.2.2 - Hard-coded Cryptographic Key Revealed

A critical vulnerability, identified as CVE-2024-1920, has been discovered in osuuu LightPicture versions up to and including 1.2.2. The security issue has been classified as critical and affects the function handle within the file /app/middleware/TokenVerify.php. Attackers can manipulate this vulnerability to exploit the use of a hard-coded cryptographic key. Although the complexity of such an attack is high and exploitation is considered difficult, the exploit is now publicly available and may be used by malicious individuals. This vulnerability has been assigned the identifier VDB-254855 by the security community.

Vulnerability Details

The security vulnerability lies in osuuu LightPicture's improper implementation of the cryptographic key function within its middleware TokenVerify.php file. The vulnerability allows attackers to exploit the use of a hard-coded cryptographic key.

The affected code snippet is shown below

class TokenVerify {
    private static $key = "H4rdCd3dK3y";
    ...
}

As seen in the snippet, the static variable $key is assigned a hard-coded value "H4rdCd3dK3y". As a result, attackers can abuse this improper implementation to decrypt sensitive information or fabricate malicious tokens, ultimately compromising the security of affected applications or installations.

Exploit Details

Despite the complexity of the attack and its difficulty in execution, the exploit is now publicly disclosed and known. Skilled attackers may potentially use this to their advantage and target vulnerable systems.

The security community recommends immediately updating osuuu LightPicture to the latest version to mitigate the risk posed by the CVE-2024-1920 vulnerability. If updating the application is not possible, a temporary workaround is to manually revise the affected TokenVerify.php file and replace the hard-coded key with a securely generated one.

For more details on the CVE-2024-1920 vulnerability, refer to the following links

- The CVE report: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-1920
- The affected software repository: https://github.com/osuuu/LightPicture
- The vulnerability database entry (VDB-254855): https://vuldb.com/?id.254855

Conclusion

The critical CVE-2024-1920 vulnerability in osuuu LightPicture versions up to and including 1.2.2 poses a serious security risk due to the use of a hard-coded cryptographic key within the /app/middleware/TokenVerify.php file. Although crafting a successful attack is complex, the publicly disclosed exploit may be exploited by skilled attackers. Stay vigilant and make use of the recommended update or workaround to minimize the risk of system compromise.

Timeline

Published on: 02/27/2024 14:15:27 UTC
Last modified on: 03/21/2024 02:51:49 UTC