{"id":"CVE-2024-31214","summary":"Traccar's unrestricted file upload vulnerability in device image upload could lead to remote code execution","details":"Traccar is an open source GPS tracking system. Traccar versions 5.1 through 5.12 allow arbitrary files to be uploaded through the device image upload API. Attackers have full control over the file contents, full control over the directory where the file is stored, full control over the file extension, and partial control over the file name. While it's not  for an attacker to overwrite an existing file, an attacker can create new files with certain names and attacker-controlled extensions anywhere on the file system. This can potentially lead to remote code execution, XSS, DOS, etc. The default install of Traccar makes this vulnerability more severe. Self-registration is enabled by default, allowing anyone to create an account to exploit this vulnerability. Traccar also runs by default with root/system privileges, allowing files to be placed anywhere on the file system. Version 6.0 contains a fix for the issue. One may also turn off self-registration by default, as that would make most vulnerabilities in the application much harder to exploit by default and reduce the severity considerably.\n","aliases":["GHSA-3gxq-f2qj-c8v9"],"modified":"2026-04-12T09:49:34.745501Z","published":"2024-04-10T17:20:55.407Z","database_specific":{"cna_assigner":"GitHub_M","cwe_ids":["CWE-434"],"osv_generated_from":"https://github.com/CVEProject/cvelistV5/tree/main/cves/2024/31xxx/CVE-2024-31214.json"},"references":[{"type":"WEB","url":"https://github.com/traccar/traccar/blob/master/src/main/java/org/traccar/model/Device.java#L56"},{"type":"WEB","url":"https://github.com/traccar/traccar/blob/v5.12/src/main/java/org/traccar/api/resource/DeviceResource.java#L191"},{"type":"ADVISORY","url":"https://github.com/CVEProject/cvelistV5/tree/main/cves/2024/31xxx/CVE-2024-31214.json"},{"type":"ADVISORY","url":"https://github.com/traccar/traccar/security/advisories/GHSA-3gxq-f2qj-c8v9"},{"type":"ADVISORY","url":"https://nvd.nist.gov/vuln/detail/CVE-2024-31214"},{"type":"FIX","url":"https://github.com/traccar/traccar/commit/3fbdcd81566bc72e319ec05c77cf8a4120b87b8f"}],"affected":[{"ranges":[{"type":"GIT","repo":"https://github.com/traccar/traccar","events":[{"introduced":"15ff944349b44ead4d711459d7d0e54838c7f30c"},{"fixed":"9a285e59e580994dc9c3f80935f766f3dafdcd46"}]}],"versions":["v5.1","v5.10","v5.11","v5.12","v5.2","v5.3","v5.4","v5.5","v5.6","v5.7","v5.8","v5.9"],"database_specific":{"vanir_signatures_modified":"2026-04-12T09:49:34Z","source":"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2024-31214.json","vanir_signatures":[{"deprecated":false,"id":"CVE-2024-31214-015dd8ea","signature_version":"v1","signature_type":"Function","target":{"file":"src/main/java/org/traccar/handler/GeocoderHandler.java","function":"handlePosition"},"source":"https://github.com/traccar/traccar/commit/9a285e59e580994dc9c3f80935f766f3dafdcd46","digest":{"function_hash":"302899966980341602313320404798293554352","length":853}},{"deprecated":false,"id":"CVE-2024-31214-045b5d0d","signature_version":"v1","signature_type":"Line","target":{"file":"src/main/java/org/traccar/handler/CopyAttributesHandler.java"},"source":"https://github.com/traccar/traccar/commit/9a285e59e580994dc9c3f80935f766f3dafdcd46","digest":{"threshold":0.9,"line_hashes":["257701667563535518183675232221230175332","143986437376267761277340750724966727419","225794574244789362222741000602937119305"]}},{"deprecated":false,"id":"CVE-2024-31214-0568c586","signature_version":"v1","signature_type":"Function","target":{"file":"src/main/java/org/traccar/handler/GeocoderHandler.java","function":"onSuccess"},"source":"https://github.com/traccar/traccar/commit/9a285e59e580994dc9c3f80935f766f3dafdcd46","digest":{"function_hash":"119924858553851800941932293751134641673","length":101}},{"deprecated":false,"id":"CVE-2024-31214-05ee5d51","signature_version":"v1","signature_type":"Function","target":{"file":"src/main/java/org/traccar/handler/ComputedAttributesHandler.java","function":"handlePosition"},"source":"https://github.com/traccar/traccar/commit/9a285e59e580994dc9c3f80935f766f3dafdcd46","digest":{"function_hash":"106251742999302882458643033751154018398","length":1566}},{"deprecated":false,"id":"CVE-2024-31214-06a9b55c","signature_version":"v1","signature_type":"Function","target":{"file":"src/main/java/org/traccar/handler/OutdatedHandler.java","function":"handlePosition"},"source":"https://github.com/traccar/traccar/commit/9a285e59e580994dc9c3f80935f766f3dafdcd46","digest":{"function_hash":"36522629426061964978330561302824246516","length":678}},{"deprecated":false,"id":"CVE-2024-31214-08d7c539","signature_version":"v1","signature_type":"Function","target":{"file":"src/main/java/org/traccar/handler/DatabaseHandler.java","function":"handlePosition"},"source":"https://github.com/traccar/traccar/commit/9a285e59e580994dc9c3f80935f766f3dafdcd46","digest":{"function_hash":"144997570182423610120397936746969244077","length":332}},{"deprecated":false,"id":"CVE-2024-31214-13b9fbe1","signature_version":"v1","signature_type":"Line","target":{"file":"src/main/java/org/traccar/handler/OutdatedHandler.java"},"source":"https://github.com/traccar/traccar/commit/9a285e59e580994dc9c3f80935f766f3dafdcd46","digest":{"threshold":0.9,"line_hashes":["107346085179560962518853341239724380922","143986437376267761277340750724966727419","225794574244789362222741000602937119305"]}},{"deprecated":false,"id":"CVE-2024-31214-19aded68","signature_version":"v1","signature_type":"Function","target":{"file":"src/main/java/org/traccar/handler/TimeHandler.java","function":"handlePosition"},"source":"https://github.com/traccar/traccar/commit/9a285e59e580994dc9c3f80935f766f3dafdcd46","digest":{"function_hash":"97071901569710500759677240394712141488","length":321}},{"deprecated":false,"id":"CVE-2024-31214-1b368c27","signature_version":"v1","signature_type":"Line","target":{"file":"src/main/java/org/traccar/handler/HemisphereHandler.java"},"source":"https://github.com/traccar/traccar/commit/9a285e59e580994dc9c3f80935f766f3dafdcd46","digest":{"threshold":0.9,"line_hashes":["1358027058571831970395966882442948508","162457192824301293518911526979933077405","225794574244789362222741000602937119305"]}},{"deprecated":false,"id":"CVE-2024-31214-1b74f0c4","signature_version":"v1","signature_type":"Line","target":{"file":"src/main/java/org/traccar/handler/BasePositionHandler.java"},"source":"https://github.com/traccar/traccar/commit/9a285e59e580994dc9c3f80935f766f3dafdcd46","digest":{"threshold":0.9,"line_hashes":["133626356385065129953959553036556944380","115783532963337635336016872023809835642","125114911045103430718700815384218712276","89071199498320417923059153666380132176"]}},{"deprecated":false,"id":"CVE-2024-31214-1eabba59","signature_version":"v1","signature_type":"Function","target":{"file":"src/main/java/org/traccar/handler/CopyAttributesHandler.java","function":"handlePosition"},"source":"https://github.com/traccar/traccar/commit/9a285e59e580994dc9c3f80935f766f3dafdcd46","digest":{"function_hash":"29266831330326043115001462293662059765","length":519}},{"deprecated":false,"id":"CVE-2024-31214-214df8dd","signature_version":"v1","signature_type":"Line","target":{"file":"src/main/java/org/traccar/handler/GeocoderHandler.java"},"source":"https://github.com/traccar/traccar/commit/9a285e59e580994dc9c3f80935f766f3dafdcd46","digest":{"threshold":0.9,"line_hashes":["50111225134795845774056340599125439804","211410891981388231392730364977725655375","15656916478659402873679892558342370430","13938603921629642748533933878593015331","88323317093503134561997500479999626485","52940009983303886419819481721800030091","301782008229598365745531768671951185437","322964995395205360332448833913537027448","77442942262592108160037697699728411925","185703398680159738054542471432929321176","208503420434015667624101142882485683925","191790408536374981186023119039999941656","172229077161099023636876928958296017828","236762382093078446597555970717764201443","223031641370455966217469525633561466904","197498948856870509088260643839811259134","241809839437801947350434044625663825865","40749173469780441758153254874551829954","129326099401974981134510209789923890394","35040431374018795187869483530714950244","31130135695068574148666199558340210468"]}},{"deprecated":false,"id":"CVE-2024-31214-22164e82","signature_version":"v1","signature_type":"Function","target":{"file":"src/main/java/org/traccar/handler/GeolocationHandler.java","function":"onSuccess"},"source":"https://github.com/traccar/traccar/commit/9a285e59e580994dc9c3f80935f766f3dafdcd46","digest":{"function_hash":"5183777822042820363893887054284774661","length":145}},{"deprecated":false,"id":"CVE-2024-31214-244c5e43","signature_version":"v1","signature_type":"Function","target":{"file":"src/main/java/org/traccar/handler/EngineHoursHandler.java","function":"handlePosition"},"source":"https://github.com/traccar/traccar/commit/9a285e59e580994dc9c3f80935f766f3dafdcd46","digest":{"function_hash":"318586638516570562588507655422334155506","length":510}},{"deprecated":false,"id":"CVE-2024-31214-25efc253","signature_version":"v1","signature_type":"Line","target":{"file":"src/main/java/org/traccar/handler/PostProcessHandler.java"},"source":"https://github.com/traccar/traccar/commit/9a285e59e580994dc9c3f80935f766f3dafdcd46","digest":{"threshold":0.9,"line_hashes":["63880876725291322550725646612718631311","10945763000732571895696240122708244122","138637679320500852312777196414904291179","275466566804817745789837911522907191403","273649048516882096044300436665691392530","85657495602262326274007632857078340580","225794574244789362222741000602937119305"]}},{"deprecated":false,"id":"CVE-2024-31214-26841245","signature_version":"v1","signature_type":"Function","target":{"file":"src/main/java/org/traccar/handler/GeocoderHandler.java","function":"onFailure"},"source":"https://github.com/traccar/traccar/commit/9a285e59e580994dc9c3f80935f766f3dafdcd46","digest":{"function_hash":"308112482293697400578977228539143538667","length":120}},{"deprecated":false,"id":"CVE-2024-31214-2a0255ae","signature_version":"v1","signature_type":"Function","target":{"file":"src/main/java/org/traccar/handler/GeofenceHandler.java","function":"handlePosition"},"source":"https://github.com/traccar/traccar/commit/9a285e59e580994dc9c3f80935f766f3dafdcd46","digest":{"function_hash":"26131540916823369739291448848984982101","length":208}},{"deprecated":false,"id":"CVE-2024-31214-376717e4","signature_version":"v1","signature_type":"Line","target":{"file":"src/main/java/org/traccar/handler/MotionHandler.java"},"source":"https://github.com/traccar/traccar/commit/9a285e59e580994dc9c3f80935f766f3dafdcd46","digest":{"threshold":0.9,"line_hashes":["77772278698286928625443945987580102544","26122056412641110935987325578147730849","225794574244789362222741000602937119305"]}},{"deprecated":false,"id":"CVE-2024-31214-4720b31a","signature_version":"v1","signature_type":"Function","target":{"file":"src/main/java/org/traccar/handler/SpeedLimitHandler.java","function":"handlePosition"},"source":"https://github.com/traccar/traccar/commit/9a285e59e580994dc9c3f80935f766f3dafdcd46","digest":{"function_hash":"13132583677828712625372133435965932309","length":473}},{"deprecated":false,"id":"CVE-2024-31214-5449c368","signature_version":"v1","signature_type":"Line","target":{"file":"src/main/java/org/traccar/handler/ComputedAttributesHandler.java"},"source":"https://github.com/traccar/traccar/commit/9a285e59e580994dc9c3f80935f766f3dafdcd46","digest":{"threshold":0.9,"line_hashes":["257701667563535518183675232221230175332","143986437376267761277340750724966727419","225794574244789362222741000602937119305"]}},{"deprecated":false,"id":"CVE-2024-31214-6801315b","signature_version":"v1","signature_type":"Function","target":{"file":"src/main/java/org/traccar/handler/PositionForwardingHandler.java","function":"handlePosition"},"source":"https://github.com/traccar/traccar/commit/9a285e59e580994dc9c3f80935f766f3dafdcd46","digest":{"function_hash":"73429451433440253611112650743303596868","length":293}},{"deprecated":false,"id":"CVE-2024-31214-680f18b8","signature_version":"v1","signature_type":"Line","target":{"file":"src/main/java/org/traccar/handler/EngineHoursHandler.java"},"source":"https://github.com/traccar/traccar/commit/9a285e59e580994dc9c3f80935f766f3dafdcd46","digest":{"threshold":0.9,"line_hashes":["257701667563535518183675232221230175332","143986437376267761277340750724966727419","225794574244789362222741000602937119305"]}},{"deprecated":false,"id":"CVE-2024-31214-6b37c6ad","signature_version":"v1","signature_type":"Line","target":{"file":"src/main/java/org/traccar/handler/DistanceHandler.java"},"source":"https://github.com/traccar/traccar/commit/9a285e59e580994dc9c3f80935f766f3dafdcd46","digest":{"threshold":0.9,"line_hashes":["208589671812996199409053559985340458540","196875779370283675557685642047166966965","51675824780963558120915010441417330854"]}},{"deprecated":false,"id":"CVE-2024-31214-79fe0dd9","signature_version":"v1","signature_type":"Function","target":{"file":"src/main/java/org/traccar/handler/MotionHandler.java","function":"handlePosition"},"source":"https://github.com/traccar/traccar/commit/9a285e59e580994dc9c3f80935f766f3dafdcd46","digest":{"function_hash":"168241495844942162086937994041225305887","length":318}},{"deprecated":false,"id":"CVE-2024-31214-8db3f304","signature_version":"v1","signature_type":"Line","target":{"file":"src/main/java/org/traccar/handler/TimeHandler.java"},"source":"https://github.com/traccar/traccar/commit/9a285e59e580994dc9c3f80935f766f3dafdcd46","digest":{"threshold":0.9,"line_hashes":["45307125448750538996414705016964559782","143986437376267761277340750724966727419","225794574244789362222741000602937119305"]}},{"deprecated":false,"id":"CVE-2024-31214-955fe673","signature_version":"v1","signature_type":"Function","target":{"file":"src/main/java/org/traccar/handler/SpeedLimitHandler.java","function":"onFailure"},"source":"https://github.com/traccar/traccar/commit/9a285e59e580994dc9c3f80935f766f3dafdcd46","digest":{"function_hash":"33558583185578389560041799755225099255","length":131}},{"deprecated":false,"id":"CVE-2024-31214-957e08be","signature_version":"v1","signature_type":"Line","target":{"file":"src/main/java/org/traccar/handler/GeolocationHandler.java"},"source":"https://github.com/traccar/traccar/commit/9a285e59e580994dc9c3f80935f766f3dafdcd46","digest":{"threshold":0.9,"line_hashes":["61433318705676468101256642195384438060","270268412870729484305525289667495215983","96885425053098139263037218592957897108","322964995395205360332448833913537027448","110237226273113181631842670672956718068","124433002413886748583893221916483847191","231045452897065801072156904550315311618","191790408536374981186023119039999941656","10444249462083129934529784630831127740","92934739721663866952355659958966104148","174123544199858726348051289369907330150","297651302328613643147186421643286235221","241809839437801947350434044625663825865","40749173469780441758153254874551829954","129326099401974981134510209789923890394","35040431374018795187869483530714950244","314037736189366393849874482379792553602"]}},{"deprecated":false,"id":"CVE-2024-31214-9f45b666","signature_version":"v1","signature_type":"Line","target":{"file":"src/main/java/org/traccar/handler/GeofenceHandler.java"},"source":"https://github.com/traccar/traccar/commit/9a285e59e580994dc9c3f80935f766f3dafdcd46","digest":{"threshold":0.9,"line_hashes":["324618945742577798200671529842622037530","84169048418853082769159789606656226861","225794574244789362222741000602937119305"]}},{"deprecated":false,"id":"CVE-2024-31214-9f45c111","signature_version":"v1","signature_type":"Line","target":{"file":"src/main/java/org/traccar/handler/DatabaseHandler.java"},"source":"https://github.com/traccar/traccar/commit/9a285e59e580994dc9c3f80935f766f3dafdcd46","digest":{"threshold":0.9,"line_hashes":["287933278603185593112874765012193025423","241225601047973163149144665227905342168","225794574244789362222741000602937119305"]}},{"deprecated":false,"id":"CVE-2024-31214-a7bd93d5","signature_version":"v1","signature_type":"Function","target":{"file":"src/main/java/org/traccar/handler/SpeedLimitHandler.java","function":"onSuccess"},"source":"https://github.com/traccar/traccar/commit/9a285e59e580994dc9c3f80935f766f3dafdcd46","digest":{"function_hash":"117779909771537629392829664196390922640","length":130}},{"deprecated":false,"id":"CVE-2024-31214-b434a7bb","signature_version":"v1","signature_type":"Line","target":{"file":"src/main/java/org/traccar/handler/SpeedLimitHandler.java"},"source":"https://github.com/traccar/traccar/commit/9a285e59e580994dc9c3f80935f766f3dafdcd46","digest":{"threshold":0.9,"line_hashes":["28268053196852106038900926433539778971","6822161070250628144422812528804339192","57063429155188806807907240819512280655","191790408536374981186023119039999941656","185786571732876674035206727385201887689","318636034998117105522299406395769882457","301463894566902274707029667042547090340","159163830724440448294928720174478597174","126800305797342163730732288259715061497"]}},{"deprecated":false,"id":"CVE-2024-31214-b7b04004","signature_version":"v1","signature_type":"Line","target":{"file":"src/main/java/org/traccar/ProcessingHandler.java"},"source":"https://github.com/traccar/traccar/commit/9a285e59e580994dc9c3f80935f766f3dafdcd46","digest":{"threshold":0.9,"line_hashes":["60005698980472994391796624612974552999","285849473071406253032875119180667694640","30743524842493974854229137611875201394","247450431414390203853430371576957829013","108553806125621200468296022339504060774","323456682563960242896582176938680738288","64715923544396372269170946794830778544","131003166002628937010028551755107947927","249915827903519313013899718360547277545","290131300845710976210991788727619513013","145992685738075948921115949164929029825","234076767732234927059141084570454213147","115061339894305820062132183994419952240","122244337658168396634993057330090758294","45905938329264727978128216464205924079","41138849576291629866093542968745244321","331299617943440961821416729526397192736","42626058174098199303079050871910671456","119328594984976666062526100410303568150","173589484720547793517237298804404517515","177474750651022209637177526208535818298","200747453489643827088115590939449311056","263944024633110622332990614443458214498","58159805881065071327692182708095880244","310707243861698331437742482784532623025","26256656811361974722179235096767775776","304721539631755076665133995372071239762","106676481057026506668059954367772841874","308444992014456452526659278840942282668","244125084856819352952595829882912148068"]}},{"deprecated":false,"id":"CVE-2024-31214-bce65cd9","signature_version":"v1","signature_type":"Function","target":{"file":"src/main/java/org/traccar/handler/GeolocationHandler.java","function":"onFailure"},"source":"https://github.com/traccar/traccar/commit/9a285e59e580994dc9c3f80935f766f3dafdcd46","digest":{"function_hash":"328997088437744553526943514146527305947","length":129}},{"deprecated":false,"id":"CVE-2024-31214-c1f430e1","signature_version":"v1","signature_type":"Function","target":{"file":"src/main/java/org/traccar/handler/DistanceHandler.java","function":"handlePosition"},"source":"https://github.com/traccar/traccar/commit/9a285e59e580994dc9c3f80935f766f3dafdcd46","digest":{"function_hash":"49791914405810184688674431920574359914","length":1056}},{"deprecated":false,"id":"CVE-2024-31214-c49f9bf0","signature_version":"v1","signature_type":"Function","target":{"file":"src/main/java/org/traccar/ProcessingHandler.java","function":"processEventHandlers"},"source":"https://github.com/traccar/traccar/commit/9a285e59e580994dc9c3f80935f766f3dafdcd46","digest":{"function_hash":"96798274792421581498754254426923282971","length":231}},{"deprecated":false,"id":"CVE-2024-31214-c5e6f68b","signature_version":"v1","signature_type":"Function","target":{"file":"src/main/java/org/traccar/handler/GeolocationHandler.java","function":"handlePosition"},"source":"https://github.com/traccar/traccar/commit/9a285e59e580994dc9c3f80935f766f3dafdcd46","digest":{"function_hash":"150401002192962657578758704582263211371","length":1063}},{"deprecated":false,"id":"CVE-2024-31214-c6290fd7","signature_version":"v1","signature_type":"Line","target":{"file":"src/main/java/org/traccar/handler/PositionForwardingHandler.java"},"source":"https://github.com/traccar/traccar/commit/9a285e59e580994dc9c3f80935f766f3dafdcd46","digest":{"threshold":0.9,"line_hashes":["161529334035985038274162887407000536680","228599421985767257045035743974486130989","225794574244789362222741000602937119305"]}},{"deprecated":false,"id":"CVE-2024-31214-caf0ff57","signature_version":"v1","signature_type":"Function","target":{"file":"src/main/java/org/traccar/handler/FilterHandler.java","function":"handlePosition"},"source":"https://github.com/traccar/traccar/commit/9a285e59e580994dc9c3f80935f766f3dafdcd46","digest":{"function_hash":"328666150851856325247982685487615647841","length":144}},{"deprecated":false,"id":"CVE-2024-31214-cbc3681d","signature_version":"v1","signature_type":"Function","target":{"file":"src/main/java/org/traccar/ProcessingHandler.java","function":"processPositionHandlers"},"source":"https://github.com/traccar/traccar/commit/9a285e59e580994dc9c3f80935f766f3dafdcd46","digest":{"function_hash":"31925386566515299517648527428520574511","length":453}},{"deprecated":false,"id":"CVE-2024-31214-e389e593","signature_version":"v1","signature_type":"Line","target":{"file":"src/main/java/org/traccar/handler/FilterHandler.java"},"source":"https://github.com/traccar/traccar/commit/9a285e59e580994dc9c3f80935f766f3dafdcd46","digest":{"threshold":0.9,"line_hashes":["35682071629699823479260713177690706564","285575624349044226023593220300644263790","194353742103433453681044103721125482424","31867183483732246952608368889687560421","68158306738362401502017979257019275205","35040431374018795187869483530714950244","31130135695068574148666199558340210468"]}},{"deprecated":false,"id":"CVE-2024-31214-eb1a9f6d","signature_version":"v1","signature_type":"Function","target":{"file":"src/main/java/org/traccar/handler/HemisphereHandler.java","function":"handlePosition"},"source":"https://github.com/traccar/traccar/commit/9a285e59e580994dc9c3f80935f766f3dafdcd46","digest":{"function_hash":"8739902359747658206132063296793256115","length":303}},{"deprecated":false,"id":"CVE-2024-31214-f5c842d9","signature_version":"v1","signature_type":"Function","target":{"file":"src/main/java/org/traccar/handler/PostProcessHandler.java","function":"handlePosition"},"source":"https://github.com/traccar/traccar/commit/9a285e59e580994dc9c3f80935f766f3dafdcd46","digest":{"function_hash":"215715379878148501002623019022952577355","length":595}},{"deprecated":false,"id":"CVE-2024-31214-f8c5a820","signature_version":"v1","signature_type":"Function","target":{"file":"src/main/java/org/traccar/ProcessingHandler.java","function":"finishedProcessing"},"source":"https://github.com/traccar/traccar/commit/9a285e59e580994dc9c3f80935f766f3dafdcd46","digest":{"function_hash":"255670310556623537825369233644311275941","length":397}},{"deprecated":false,"id":"CVE-2024-31214-fd10f244","signature_version":"v1","signature_type":"Function","target":{"file":"src/main/java/org/traccar/ProcessingHandler.java","function":"processed"},"source":"https://github.com/traccar/traccar/commit/9a285e59e580994dc9c3f80935f766f3dafdcd46","digest":{"function_hash":"146566646037494617224968180072976145882","length":219}}]}}],"schema_version":"1.7.5","severity":[{"type":"CVSS_V3","score":"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H"}]}