Traccar 5 open-source GPS tracking system fixes two flaws, one critical
Take action: If you are running a Traccar instance, update to version 6 as soon as possible. Alternatively, read up on the advisories and disable self-registration as an interim measure. But then do plan to patch the system.
Learn More
Traccar, a widely used open-source GPS tracking system for personal and fleet management, has addressed two critical vulnerabilities in its version 5 that could lead to remote code execution (RCE).
Traccar is a Java-based application that uses the Jetty web server. It allows users to register devices that communicate with the Traccar server using various protocols. The vulnerabilities stem from a feature introduced in Traccar 5.1 that lets users upload images for devices.
- CVE-2024-31214 (CVSS score 9.8) - Traccar versions 5.1 through 5.12 have a vulnerability allowing attackers to upload arbitrary files via the device image upload API, potentially leading to remote code execution, XSS, or DOS. The issue is more severe due to default settings that allow self-registration and root/system privileges.
- CVE-2024-24809 (CVSS score 8.5) - Traccar versions prior to 6.0 have a path traversal vulnerability allowing registered users to upload files with the prefix `device.` under any folder, potentially enabling phishing, XSS, or arbitrary command execution. The issue is patched in version 6.0.
The vulnerabilities affect Traccar versions 5.1 to 5.12. If the registration setting is enabled and certain access controls are relaxed (which are the default settings), the vulnerabilities can be exploited without authentication.
Users are strongly advised to upgrade to Traccar 6, where these vulnerabilities have been patched. Traccar 6 also changes the default setting for guest registration to off, significantly reducing the attack surface. For those unable to upgrade immediately, disabling guest registration is a critical mitigation.
