Scoold - Authentication Bypass (CVE-2024-50334)
94Exploiting IPs reported
Scoold is a Q&A and a knowledge sharing platform for teams. A semicolon path injection vulnerability was found on the /api;/config endpoint. By appending a semicolon in the URL, attackers can bypass authentication and gain unauthorised access to sensitive configuration data. Furthermore, PUT requests on the /api;/config endpoint while setting the Content-Type: application/hocon header allow unauthenticated attackers to file reading via HOCON file inclusion. This allows attackers to retrieve sensitive information such as configuration files from the server, which can be leveraged for further exploitation. The vulnerability has been fixed in Scoold 1.64.0. A workaround would be to disable the Scoold API with scoold.api_enabled = false.
CrowdSec analysis
CVE-2024-50334 is a critical vulnerability in the Scoold Q&A platform that allows attackers to bypass authentication by exploiting a semicolon path injection on the /api;/config endpoint. This flaw enables unauthorized access to sensitive configuration data and, through crafted PUT requests with a specific content type, allows unauthenticated file reading via HOCON file inclusion. Attackers could leverage this vulnerability to retrieve confidential server files and potentially escalate their attacks further. The issue is resolved in Scoold version 1.64.0.
CrowdSec has been tracking this vulnerability and its exploits since 16th of July 2025.
Insights from the CrowdSec network reveal that the attackers trying to exploit CVE-2024-50334 are composed of a fairly even mix of opportunistic and targeted actors. Some attackers employ preliminary reconnaissance, while others use indiscriminate scanning. CrowdSec data also reveals a clear uptick in attacks involving CVE-2024-50334 over the past week. Activity is above the usual baseline, suggesting growing attention from attackers. This may reflect rising awareness, recent exploit releases, or expanded targeting efforts.
Attackers exploit a semicolon path injection on the /api;/config endpoint using a PUT request to bypass authentication and access sensitive configuration data in vulnerable Scoold instances.
Exploitation
Get real-time information about exploitation attempts and actors involved.
Protection
Find out relevant information to protect your stack against this CVE.
Blocklist
With our advanced worldwide network detection, CrowdSec can provide a list of IPs known for exploiting the vulnerability.
To increase your protection against this CVE, block exploitation attempts with this list of identified actors.