CVE-2024-45440 is a medium-severity vulnerability affecting the Drupal core, specifically version 11.x-dev. The issue resides in the core/authorize.php file, where the application attempts to read the value of the hash_salt configuration parameter using PHP's file_get_contents function on a file that does not exist. This improper handling leads to a Full Path Disclosure vulnerability, meaning that the absolute file system path of the server is revealed to an unauthenticated remote attacker. Notably, this disclosure occurs even when Drupal's error logging is set to 'None,' which is intended to suppress error messages and prevent information leakage. The vulnerability is classified under CWE-209 (Information Exposure Through an Error Message), indicating that error messages reveal sensitive information that could aid attackers in further exploitation. The CVSS 3.1 base score is 5.3 (medium), with an attack vector of network (AV:N), low attack complexity (AC:L), no privileges required (PR:N), no user interaction (UI:N), unchanged scope (S:U), and impact limited to confidentiality (C:L), with no impact on integrity or availability. There are no known exploits in the wild at the time of publication, and no patches have been linked yet. This vulnerability allows attackers to gather sensitive server path information remotely without authentication or user interaction, which could be leveraged in subsequent attacks such as directory traversal, local file inclusion, or targeted exploitation of other vulnerabilities relying on path knowledge.

For European organizations using Drupal 11.x-dev, this vulnerability poses a risk primarily related to information disclosure. The exposure of full server paths can assist attackers in mapping the server environment, identifying directory structures, and locating sensitive files or configuration data. While the vulnerability does not directly allow code execution or data modification, the disclosed information can facilitate more sophisticated attacks, including privilege escalation or exploitation of other vulnerabilities. Organizations in sectors with high-value targets such as government, finance, healthcare, and critical infrastructure could be particularly impacted, as attackers often use path disclosure to tailor attacks against specific environments. Since Drupal is widely used across Europe for public sector websites, e-commerce platforms, and content management, the vulnerability could affect a broad range of organizations. The fact that no authentication or user interaction is required increases the risk of automated scanning and reconnaissance by threat actors. However, the medium severity and limited impact on confidentiality mean that while the vulnerability is concerning, it is not immediately critical but should be addressed promptly to reduce attack surface.

Avoid using the vulnerable 11.x-dev development version of Drupal core in production environments; prefer stable, officially released versions where this issue is not present. If using Drupal 11.x-dev, implement strict file existence checks before assigning the hash_salt value via file_get_contents to prevent attempts to read non-existent files that trigger path disclosure. Configure web server and PHP error handling to suppress detailed error messages and stack traces from being sent to clients, including disabling display_errors and enabling error logging to secure locations. Employ web application firewalls (WAFs) with custom rules to detect and block requests that attempt to exploit this vulnerability or probe for path disclosure. Regularly monitor Drupal security advisories and update to patched versions as soon as they become available. Conduct internal code reviews and penetration testing focusing on error handling and information leakage vectors, especially in custom modules or configurations that interact with hash_salt or file operations. Limit access to sensitive files and directories at the OS and web server level using appropriate permissions to reduce the impact of any disclosed paths.