CVE-2023-34252

Exploit

EPSS 0.35%
Veröffentlicht 14.06.2023 22:15:09
Zuletzt bearbeitet 21.11.2024 08:06:51
Quelle security-advisories@github.com
CVE-Watchlists
Login
Unerledigt
Login

Grav is a flat-file content management system. Prior to version 1.7.42, there is a logic flaw in the `GravExtension.filterFilter()` function whereby validation against a denylist of unsafe functions is only performed when the argument passed to filter is a string. However, passing an array as a callable argument allows the validation check to be skipped. Consequently, a low privileged attacker with login access to Grav Admin panel and page creation/update permissions is able to inject malicious templates to obtain remote code execution. The vulnerability can be found in the `GravExtension.filterFilter()` function declared in `/system/src/Grav/Common/Twig/Extension/GravExtension.php`. Version 1.7.42 contains a patch for this issue. End users should also ensure that `twig.undefined_functions` and `twig.undefined_filters` properties in `/path/to/webroot/system/config/system.yaml` configuration file are set to `false` to disallow Twig from treating undefined filters/functions as PHP functions and executing them.

Betroffene Produkte Warnungen 0 Metriken 3 CWE 3 Referenzen 7

Daten sind bereitgestellt durch National Vulnerability Database (NVD)

Getgrav ≫ Grav Version < 1.7.42

Zu dieser CVE wurde keine CISA KEV oder CERT.AT-Warnung gefunden.

EPSS Metriken
Typ	Quelle	Score	Percentile
EPSS	FIRST.org	0.35%	0.57

CVSS Metriken
Quelle	Base Score	Exploit Score	Impact Score	Vector String
nvd@nist.gov	7.2	1.2	5.9	CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H
security-advisories@github.com	8.8	2.8	5.9	CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

CWE-1336 Improper Neutralization of Special Elements Used in a Template Engine

The product uses a template engine to insert or process externally-influenced input, but it does not neutralize or incorrectly neutralizes special elements or syntax that can be interpreted as template expressions or other code directives when processed by the engine.

CWE-184 Incomplete List of Disallowed Inputs

The product implements a protection mechanism that relies on a list of inputs (or properties of inputs) that are not allowed by policy or otherwise require other action to neutralize before additional processing takes place, but the list is incomplete.

CWE-94 Improper Control of Generation of Code ('Code Injection')

The product constructs all or part of a code segment using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the syntax or behavior of the intended code segment.

https://github.com/getgrav/grav/blob/1.7.40/system/src/Grav/Common/Twig/Extension/GravExtension.php#L1692-L1698

Issue Tracking

https://github.com/getgrav/grav/blob/1.7.40/system/src/Grav/Common/Utils.php#L1956-L2074

Issue Tracking

https://github.com/getgrav/grav/commit/244758d4383034fe4cd292d41e477177870b65ec

Patch

https://github.com/getgrav/grav/security/advisories/GHSA-96xv-rmwj-6p9w

Vendor Advisory

Exploit

https://nvd.nist.gov/vuln/detail/CVE-2023-34252

CVE Source (NVD)

https://cveawg.mitre.org/api/cve/CVE-2023-34252

CVE Source (JSON)

https://euvd.enisa.europa.eu/vulnerability/CVE-2023-34252

EUVD

Team-orientierte Vulnerability Management Plattform

Features der Plattform

CVE-2023-34252