CVE-2024-27915

Sulu is a PHP content management system. Starting in verson 2.2.0 and prior to version 2.4.17 and 2.5.13, access to pages is granted regardless of role permissions for webspaces which have a security system configured and permission check enabled. Webspaces without do not have this issue. The problem is patched in versions 2.4.17 and 2.5.13. Some workarounds are available. One may apply the patch to `vendor/symfony/security-http/HttpUtils.php` manually or avoid installing `symfony/security-http` versions greater equal than `v5.4.30` or `v6.3.6`.

CVSS v3 6.8 MEDIUM

6.8^/10

CVSS v3 : MEDIUM

Vector :

Exploitability : 1.6 / Impact : 5.2

Attack Vector NETWORK

Attack Complexity HIGH

Privileges Required LOW

User Interaction NONE

Confidentiality Impact HIGH

Integrity Impact HIGH

Availability Impact NONE

Scope UNCHANGED

References

Link	Resource
https://github.com/sulu/sulu/commit/ec9c3f99e15336dc4f6877f512300f231c17c6da
https://github.com/sulu/sulu/security/advisories/GHSA-jr83-m233-gg6p

Configurations

No configuration.

History

No history.

Information

Published : 2024-03-06 20:15

Updated : 2024-03-06 21:42

NVD link : CVE-2024-27915

Mitre link : CVE-2024-27915

CVE.ORG link : CVE-2024-27915

JSON object : View

Products Affected

No product.

CWE

CWE-863

Incorrect Authorization

{"id": "CVE-2024-27915", "cveTags": [], "metrics": {"cvssMetricV31": [{"type": "Secondary", "source": "security-advisories@github.com", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 6.8, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:N", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "HIGH", "availabilityImpact": "NONE", "privilegesRequired": "LOW", "confidentialityImpact": "HIGH"}, "impactScore": 5.2, "exploitabilityScore": 1.6}]}, "published": "2024-03-06T20:15:47.930", "references": [{"url": "https://github.com/sulu/sulu/commit/ec9c3f99e15336dc4f6877f512300f231c17c6da", "source": "security-advisories@github.com"}, {"url": "https://github.com/sulu/sulu/security/advisories/GHSA-jr83-m233-gg6p", "source": "security-advisories@github.com"}], "vulnStatus": "Awaiting Analysis", "weaknesses": [{"type": "Secondary", "source": "security-advisories@github.com", "description": [{"lang": "en", "value": "CWE-863"}]}], "descriptions": [{"lang": "en", "value": "Sulu is a PHP content management system. Starting in verson 2.2.0 and prior to version 2.4.17 and 2.5.13, access to pages is granted regardless of role permissions for webspaces which have a security system configured and permission check enabled. Webspaces without do not have this issue. The problem is patched in versions 2.4.17 and 2.5.13. Some workarounds are available. One may apply the patch to `vendor/symfony/security-http/HttpUtils.php` manually or avoid installing `symfony/security-http` versions greater equal than `v5.4.30` or `v6.3.6`."}, {"lang": "es", "value": "Sulu es un sistema de gesti\u00f3n de contenidos PHP. A partir de la versi\u00f3n 2.2.0 y anteriores a la versi\u00f3n 2.4.17 y 2.5.13, el acceso a las p\u00e1ginas se otorga independientemente de los permisos de funci\u00f3n para los espacios web que tienen un sistema de seguridad configurado y la verificaci\u00f3n de permisos habilitada. Los espacios web sin \u00e9l no tienen este problema. El problema est\u00e1 solucionado en las versiones 2.4.17 y 2.5.13. Algunas soluciones est\u00e1n disponibles. Se puede aplicar el parche a `vendor/symfony/security-http/HttpUtils.php` manualmente o evitar instalar versiones de `symfony/security-http` mayores que `v5.4.30` o `v6.3.6`."}], "lastModified": "2024-03-06T21:42:48.053", "sourceIdentifier": "security-advisories@github.com"}