CVE-2023-34253

Grav is a flat-file content management system. Prior to version 1.7.42, the denylist introduced in commit 9d6a2d to prevent dangerous functions from being executed via injection of malicious templates was insufficient and could be easily subverted in multiple ways -- (1) using unsafe functions that are not banned, (2) using capitalised callable names, and (3) using fully-qualified names for referencing callables. Consequently, a low privileged attacker with login access to Grav Admin panel and page creation/update permissions is able to inject malicious templates to obtain remote code execution. A patch in version 1.7.42 improves the denylist.

CVSS v3 7.2 HIGH

7.2^/10

CVSS v3 : HIGH

Vector :

Exploitability : 1.2 / Impact : 5.9

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required HIGH

User Interaction NONE

Confidentiality Impact HIGH

Integrity Impact HIGH

Availability Impact HIGH

Scope UNCHANGED

References

Link	Resource
https://github.com/getgrav/grav/blob/1.7.40/system/src/Grav/Common/Utils.php#L1952-L2190	Issue Tracking
https://github.com/getgrav/grav/commit/71bbed12f950de8335006d7f91112263d8504f1b	Patch
https://github.com/getgrav/grav/security/advisories/GHSA-j3v8-v77f-fvgm	Exploit Vendor Advisory
https://huntr.dev/bounties/3ef640e6-9e25-4ecb-8ec1-64311d63fe66/	Exploit Third Party Advisory
https://www.github.com/getgrav/grav/commit/9d6a2dba09fd4e56f5cdfb9a399caea355bfeb83	Patch

Configurations

Configuration 1 (hide)

cpe:2.3:a:getgrav:grav:*:*:*:*:*:*:*:*

History

No history.

Information

Published : 2023-06-14 23:15

Updated : 2023-11-07 04:15

NVD link : CVE-2023-34253

Mitre link : CVE-2023-34253

CVE.ORG link : CVE-2023-34253

JSON object : View

Products Affected

getgrav

grav

CWE

CWE-94

Improper Control of Generation of Code ('Code Injection')

CWE-1336

Improper Neutralization of Special Elements Used in a Template Engine

CWE-184

Incomplete List of Disallowed Inputs

{"id": "CVE-2023-34253", "cveTags": [], "metrics": {"cvssMetricV31": [{"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 7.2, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "HIGH", "confidentialityImpact": "HIGH"}, "impactScore": 5.9, "exploitabilityScore": 1.2}, {"type": "Secondary", "source": "security-advisories@github.com", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 8.8, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "LOW", "confidentialityImpact": "HIGH"}, "impactScore": 5.9, "exploitabilityScore": 2.8}]}, "published": "2023-06-14T23:15:11.037", "references": [{"url": "https://github.com/getgrav/grav/blob/1.7.40/system/src/Grav/Common/Utils.php#L1952-L2190", "tags": ["Issue Tracking"], "source": "security-advisories@github.com"}, {"url": "https://github.com/getgrav/grav/commit/71bbed12f950de8335006d7f91112263d8504f1b", "tags": ["Patch"], "source": "security-advisories@github.com"}, {"url": "https://github.com/getgrav/grav/security/advisories/GHSA-j3v8-v77f-fvgm", "tags": ["Exploit", "Vendor Advisory"], "source": "security-advisories@github.com"}, {"url": "https://huntr.dev/bounties/3ef640e6-9e25-4ecb-8ec1-64311d63fe66/", "tags": ["Exploit", "Third Party Advisory"], "source": "security-advisories@github.com"}, {"url": "https://www.github.com/getgrav/grav/commit/9d6a2dba09fd4e56f5cdfb9a399caea355bfeb83", "tags": ["Patch"], "source": "security-advisories@github.com"}], "vulnStatus": "Modified", "weaknesses": [{"type": "Primary", "source": "nvd@nist.gov", "description": [{"lang": "en", "value": "CWE-94"}]}, {"type": "Secondary", "source": "security-advisories@github.com", "description": [{"lang": "en", "value": "CWE-1336"}, {"lang": "en", "value": "CWE-184"}]}], "descriptions": [{"lang": "en", "value": "Grav is a flat-file content management system. Prior to version 1.7.42, the denylist introduced in commit 9d6a2d to prevent dangerous functions from being executed via injection of malicious templates was insufficient and could be easily subverted in multiple ways -- (1) using unsafe functions that are not banned, (2) using capitalised callable names, and (3) using fully-qualified names for referencing callables. Consequently, a low privileged attacker with login access to Grav Admin panel and page creation/update permissions is able to inject malicious templates to obtain remote code execution. A patch in version 1.7.42 improves the denylist."}], "lastModified": "2023-11-07T04:15:32.970", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:a:getgrav:grav:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "758F84B9-A2EC-45D8-86DD-B309DB02B9AE", "versionEndExcluding": "1.7.42"}], "operator": "OR"}]}], "sourceIdentifier": "security-advisories@github.com"}