CVE-2024-29399 is a remote code execution and privilege escalation vulnerability affecting GNU Savane versions 3.13 and earlier. The flaw exists in the upload.php component, which improperly processes uploaded files, allowing an authenticated remote attacker to upload a maliciously crafted file that can execute arbitrary code on the server. This vulnerability is classified under CWE-94 (Improper Control of Generation of Code), indicating that the application fails to properly validate or sanitize input that is subsequently executed. The attacker requires at least limited privileges (authentication) to exploit this issue but does not require any additional user interaction. The vulnerability impacts confidentiality and integrity severely by enabling code execution and privilege escalation, while availability impact is low. The CVSS v3.1 score of 7.6 reflects these factors: Attack Vector is adjacent network (AV:A), Attack Complexity is low (AC:L), Privileges Required are low (PR:L), no user interaction (UI:N), scope unchanged (S:U), with high impact on confidentiality (C:H) and integrity (I:H), and low impact on availability (A:L). No patches or fixes have been published at the time of disclosure, and no known exploits have been observed in the wild. This vulnerability poses a significant risk to organizations using GNU Savane for project hosting and management, as successful exploitation could lead to full system compromise and unauthorized access to sensitive project data.

The vulnerability allows remote attackers with limited privileges to execute arbitrary code and escalate privileges on affected GNU Savane servers. This can lead to full system compromise, unauthorized access to sensitive project data, and potential disruption of project management operations. Confidentiality and integrity of hosted projects and user data are at high risk, potentially exposing intellectual property and user credentials. Although availability impact is low, attackers could leverage the code execution to deploy further malware or pivot within the network, increasing overall organizational risk. Organizations relying on GNU Savane for critical development infrastructure may face operational disruption, data breaches, and reputational damage if exploited. The lack of available patches increases the window of exposure until mitigations or updates are applied.

Organizations should immediately restrict upload.php access to trusted authenticated users and monitor upload activity for suspicious files. Implement strict input validation and file type restrictions on uploads to prevent malicious code execution. Employ web application firewalls (WAFs) with custom rules to detect and block attempts to exploit this vulnerability. Isolate GNU Savane servers in segmented network zones with limited access to reduce lateral movement risk. Regularly audit user privileges and remove unnecessary upload permissions. Monitor logs for anomalous behavior indicative of exploitation attempts. Until an official patch is released, consider disabling the upload functionality if feasible or replacing GNU Savane with alternative project management tools. Stay updated with vendor advisories for patches and apply them promptly once available.