CVE-2024-29309
Description
Alfresco Content Services prior to 23.3.0.23 allows remote code execution via the Transfer Service by configuring a malicious Endpoint Host and Port.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Alfresco Content Services prior to 23.3.0.23 allows remote code execution via the Transfer Service by configuring a malicious Endpoint Host and Port.
Vulnerability
Overview
The vulnerability resides in the Transfer Service of Alfresco Content Services (ACS). The root cause is that the service allows users to configure the Endpoint Host and Endpoint Port properties for transfer folders. An attacker can exploit this by setting up a malicious Transfer Receiver and then configuring the transfer folder's endpoint to point to this malicious service. This enables the attacker to execute arbitrary code on the ACS server [1].
Exploitation
Prerequisites
To exploit the vulnerability, an attacker requires authenticated access to the ACS instance with sufficient privileges to create or modify transfer target folders within the Data Dictionary > Transfers > Transfer Target Groups > Default Group path. The attacker must also control an external server that acts as the malicious Transfer Receiver. By specifying the attacker-controlled host and port in the transfer folder properties, the Transfer Service will connect to the malicious receiver, leading to remote code execution [1].
Impact
Successful exploitation allows a remote, authenticated attacker to achieve arbitrary code execution on the Alfresco Content Services server. This can lead to full compromise of the application, including data exfiltration, modification, or further lateral movement within the network. The CVSS v3 score of 7.7 (High) reflects the significant impact on confidentiality, integrity, and availability [1].
Mitigation
The vulnerability affects Alfresco Content Services versions prior to 23.3.0.23. The issue has been fixed in version 23.3.0.23. Users are strongly advised to upgrade to the patched version or apply any available vendor workarounds to mitigate the risk of exploitation [1].
AI Insight generated on May 20, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
2= 23.3.0.7+ 1 more
- (no CPE)range: = 23.3.0.7
- (no CPE)range: = 23.3.0.7
Patches
0No patches discovered yet.
Vulnerability mechanics
Root cause
"The Transfer Service allows unvalidated configuration of Endpoint Host and Endpoint Port properties, enabling an attacker to direct the service to a malicious endpoint and achieve code injection."
Attack vector
An attacker first sets up a malicious Transfer Receiver server. They then create a new transfer target folder in the Alfresco repository and configure its "Endpoint Host" and "Endpoint Port" properties to point to their malicious server [ref_id=1]. When the Transfer Service connects to the attacker-controlled endpoint, the attacker can deliver a malicious payload that leads to arbitrary code execution on the Alfresco Content Services server [CWE-94] [ref_id=1]. The attack requires the replication service to be enabled (replication.enabled=true) in alfresco-global.properties [ref_id=1].
Affected code
The vulnerability resides in the Transfer Service of Alfresco Content Services, specifically in the handling of the configurable properties "Endpoint Host" and "Endpoint Port" for transfer folders [ref_id=1]. The Transfer Service allows users to set these properties to arbitrary values when defining a transfer target (type trx:transferTarget) in Company Home > Data Dictionary > Transfers > Transfer Target Groups > Default Group [ref_id=1]. No specific source file or function name is identified in the advisory.
What the fix does
The advisory states the issue has been fixed in version 23.3.0.23 [ref_id=1]. No patch diff is provided in the bundle, so the exact code changes are unknown. The fix likely involves validating or sanitizing the Endpoint Host and Endpoint Port properties to prevent the Transfer Service from connecting to arbitrary attacker-controlled endpoints, thereby closing the code injection vector [CWE-94].
Preconditions
- configThe replication service must be enabled (replication.enabled=true) in alfresco-global.properties
- authAttacker must be able to create or modify transfer target folders in the repository to set Endpoint Host and Endpoint Port properties
- networkAttacker must operate a malicious Transfer Receiver server reachable from the Alfresco instance
Reproduction
The advisory references official documentation for detailed steps but does not include a complete, self-contained reproduction script [ref_id=1]. The PoC describes creating a transfer target folder in Company Home > Data Dictionary > Transfers > Transfer Target Groups > Default Group, setting the Endpoint Host and Endpoint Port to a malicious server, enabling replication, and then having the attacker's server deliver a malicious payload [ref_id=1]. The advisory also mentions setting up two files to act as the malicious server but the code snippet is truncated in the bundle.
Generated on May 27, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
1News mentions
0No linked articles in our index yet.