Divd-2024-00031 case

_cases/2024/DIVD-2024-00031.md

@@ -0,0 +1,53 @@
+---
+layout: case
+title: "Unauthenticated Local File Inclusion vulnerability in ComfortKey"
+author: Victor Pasman
+lead: Alwin Warringa
+excerpt: "A Local File Inclusion vulnerability has been found in ComfortKey, a product of Celsius Benelux. Using this vulnerability, an unauthenticated attacker may retrieve sensitive information about the underlying system."
+researchers:
+- Alwin Warringa
+cves:
+- CVE-2024-27120
+product:
+- ComfortKey
+versions:
+- ComfortKey below version 24.1.2. 
+recommendation: "Check for the patched versions and get those installed"
+workaround: "N/A"
+patch_status: Released
+status : Open
+start: 2024-08-05
+end:
+timeline:
+- start: 2024-07-02
+  end:
+  event: "DIVD contacted the vendor to disclose the vulnerability."
+- start: 2024-07-04
+  end:
+  event: "Supplier created/delivered beta version for retesting."
+- start: 2024-07-05
+  end:
+  event: "Patch was verified, vulnerability was resolved."
+- start: 2024-08-05
+  end:
+  event: "First version of this casefile."
+# ips: 0
+
+---
+
+## Summary
+A Local File Inclusion vulnerability has been found in ComfortKey, a product of Celsius Benelux. Using this vulnerability, an unauthenticated attacker may retrieve sensitive information about the underlying system.
+
+## Recommendations
+Comfort Key released patched version 24.1.2. Please update to this version number or higher if possible.
+
+## Mitigation
+N/A
+
+## What we are doing
+DIVD is currently working to identify parties that are running a vulnerable version of Geoserver and to notify these parties. We do this by verifying the presence of the vulnerability in a harmless manner and collect the software version number if possible.
+
+{% include timeline.html %}
+
+## More information
+* {% cve CVE-2024-27120 %}