CVE-2024-22217

CVE-2024-22217 describes a vulnerability where, given specific conditions, Terminalfour authenticated users could use specific features to access internal services including sensitive information on the server that Terminalfour runs on.

There are two parts to this vulnerability, the first is the underlying server configuration and local service restrictions. The second are the features in Terminalfour that allow you to access these internal services.

Server configuration

For all of our hosted clients, we have ensured that any ability to access these internal services have been disabled. We have ensured that the EC2 Instance Metadata Service version 2 (IMDSv2) is required by default. Any self-hosted client should check that this or similar services are restricted.

Terminalfour features

In 8.3.19, there is now an ability to setup a URL "allow list" which will allow you to restrict these features accessing all URLs, except for the URLs that are in this allow list. There is no user interface for this and it requires database interaction, please reach out to us if you want to enabled this feature. This feature restricts the following features

• Data Object
• Web Object
• Import URL
• Content Syncer
• Packages

The issue was addressed in Terminalfour version 8.3.19 and it is recommended that you upgrade to avail of this new allow list feature.

Currently, there is no evidence of this CVE being actively exploited.