CVE-2022-27139

An arbitrary file upload vulnerability in the file upload module of Ghost v4.39.0 allows attackers to execute arbitrary code via a crafted SVG file. NOTE: Vendor states that as outlined in Ghost's security documentation, upload of SVGs is only possible by trusted authenticated users. The uploading of SVG files to Ghost does not represent a remote code execution vulnerability. SVGs are not executable on the server, and may only execute javascript in a client's browser - this is expected and intentional functionality

CVSS v3 9.8 CRITICAL
CVSS v2.0 7.5 HIGH

9.8^/10

CVSS v3 : CRITICAL

Vector :

Exploitability : 3.9 / Impact : 5.9

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required NONE

User Interaction NONE

Confidentiality Impact HIGH

Integrity Impact HIGH

Availability Impact HIGH

Scope UNCHANGED

7.5^/10

CVSS v2.0 : HIGH

Vector : AV:N/AC:L/Au:N/C:P/I:P/A:P

Exploitability : 10.0 / Impact : 6.4

Access Vector NETWORK

Access Complexity LOW

Authentication NONE

Confidentiality Impact PARTIAL

Integrity Impact PARTIAL

Availability Impact PARTIAL

References

Link	Resource
http://ghost.org/docs/security/#privilege-escalation-attacks
https://youtu.be/FCqWEvir2wE	Exploit Third Party Advisory

Configurations

Configuration 1 (hide)

cpe:2.3:a:ghost:ghost:4.39.0:*:*:*:*:node.js:*:*

History

No history.

Information

Published : 2022-04-12 17:15

Updated : 2024-06-04 19:17

NVD link : CVE-2022-27139

Mitre link : CVE-2022-27139

CVE.ORG link : CVE-2022-27139

JSON object : View

Products Affected

ghost

ghost

CWE

CWE-434

Unrestricted Upload of File with Dangerous Type

{"id": "CVE-2022-27139", "cveTags": [{"tags": ["disputed"], "sourceIdentifier": "cve@mitre.org"}], "metrics": {"cvssMetricV2": [{"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"version": "2.0", "baseScore": 7.5, "accessVector": "NETWORK", "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "authentication": "NONE", "integrityImpact": "PARTIAL", "accessComplexity": "LOW", "availabilityImpact": "PARTIAL", "confidentialityImpact": "PARTIAL"}, "acInsufInfo": false, "impactScore": 6.4, "baseSeverity": "HIGH", "obtainAllPrivilege": false, "exploitabilityScore": 10.0, "obtainUserPrivilege": false, "obtainOtherPrivilege": false, "userInteractionRequired": false}], "cvssMetricV31": [{"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 9.8, "attackVector": "NETWORK", "baseSeverity": "CRITICAL", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "NONE", "confidentialityImpact": "HIGH"}, "impactScore": 5.9, "exploitabilityScore": 3.9}]}, "published": "2022-04-12T17:15:09.840", "references": [{"url": "http://ghost.org/docs/security/#privilege-escalation-attacks", "source": "cve@mitre.org"}, {"url": "https://youtu.be/FCqWEvir2wE", "tags": ["Exploit", "Third Party Advisory"], "source": "cve@mitre.org"}], "vulnStatus": "Modified", "weaknesses": [{"type": "Primary", "source": "nvd@nist.gov", "description": [{"lang": "en", "value": "CWE-434"}]}], "descriptions": [{"lang": "en", "value": "An arbitrary file upload vulnerability in the file upload module of Ghost v4.39.0 allows attackers to execute arbitrary code via a crafted SVG file. NOTE: Vendor states that as outlined in Ghost's security documentation, upload of SVGs is only possible by trusted authenticated users. The uploading of SVG files to Ghost does not represent a remote code execution vulnerability. SVGs are not executable on the server, and may only execute javascript in a client's browser - this is expected and intentional functionality"}, {"lang": "es", "value": "** EN DISPUTA ** Una vulnerabilidad de carga de archivos arbitraria en el m\u00f3dulo de carga de archivos de Ghost versi\u00f3n v4.39.0, permite a atacantes ejecutar c\u00f3digo arbitrario por medio de un archivo SVG dise\u00f1ado. NOTA: El proveedor afirma que, tal y como se indica en la documentaci\u00f3n de seguridad de Ghost, la carga de SVG s\u00f3lo es posible por parte de usuarios autentificados de confianza. La carga de archivos SVG en Ghost no representa una vulnerabilidad de ejecuci\u00f3n remota de c\u00f3digo. Los SVG no son ejecutables en el servidor, y s\u00f3lo pueden ejecutar javascript en el navegador de un cliente; se trata de una funcionalidad esperada e intencionada"}], "lastModified": "2024-06-04T19:17:15.347", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:a:ghost:ghost:4.39.0:*:*:*:*:node.js:*:*", "vulnerable": true, "matchCriteriaId": "385A2C69-1F04-4162-BBFB-2FA2704DFC3E"}], "operator": "OR"}]}], "sourceIdentifier": "cve@mitre.org"}