CVE-2024-32871 (GCVE-0-2024-32871)

Vulnerability from cvelistv5

Published

2024-06-04 14:43

Modified

2024-08-02 02:20

Severity ?

7.5 (High) - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

CWE

CWE-770 - Allocation of Resources Without Limits or Throttling

Summary

Pimcore is an Open Source Data & Experience Management Platform. The Pimcore thumbnail generation can be used to flood the server with large files. By changing the file extension or scaling factor of the requested thumbnail, attackers can create files that are much larger in file size than the original. This vulnerability is fixed in 11.2.4.

References

►

URL

Tags

security-advisories@github.com	https://github.com/pimcore/pimcore/commit/38af70b3130f16fc27f2aea34e2943d7bdaaba06	Patch
security-advisories@github.com	https://github.com/pimcore/pimcore/commit/a6821a16ea38086bf6012e682e1743488244bd85	Patch
security-advisories@github.com	https://github.com/pimcore/pimcore/security/advisories/GHSA-277c-5vvj-9pwx	Exploit, Vendor Advisory
af854a3a-2127-422b-91ae-364da2661108	https://github.com/pimcore/pimcore/commit/38af70b3130f16fc27f2aea34e2943d7bdaaba06	Patch
af854a3a-2127-422b-91ae-364da2661108	https://github.com/pimcore/pimcore/commit/a6821a16ea38086bf6012e682e1743488244bd85	Patch
af854a3a-2127-422b-91ae-364da2661108	https://github.com/pimcore/pimcore/security/advisories/GHSA-277c-5vvj-9pwx	Exploit, Vendor Advisory

Impacted products

	Vendor	Product	Version
	pimcore	pimcore	Version: >= 11.0.0, < 11.2.4

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "affected": [
          {
            "cpes": [
              "cpe:2.3:a:pimcore:pimcore:11.0.0:*:*:*:*:*:*:*"
            ],
            "defaultStatus": "unknown",
            "product": "pimcore",
            "vendor": "pimcore",
            "versions": [
              {
                "lessThanOrEqual": "11.2.4",
                "status": "affected",
                "version": "11.0.0",
                "versionType": "custom"
              }
            ]
          }
        ],
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2024-32871",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "yes"
                  },
                  {
                    "Technical Impact": "partial"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2024-06-04T15:25:35.260033Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2024-06-05T05:15:37.005Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      },
      {
        "providerMetadata": {
          "dateUpdated": "2024-08-02T02:20:35.642Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "name": "https://github.com/pimcore/pimcore/security/advisories/GHSA-277c-5vvj-9pwx",
            "tags": [
              "x_refsource_CONFIRM",
              "x_transferred"
            ],
            "url": "https://github.com/pimcore/pimcore/security/advisories/GHSA-277c-5vvj-9pwx"
          },
          {
            "name": "https://github.com/pimcore/pimcore/commit/38af70b3130f16fc27f2aea34e2943d7bdaaba06",
            "tags": [
              "x_refsource_MISC",
              "x_transferred"
            ],
            "url": "https://github.com/pimcore/pimcore/commit/38af70b3130f16fc27f2aea34e2943d7bdaaba06"
          },
          {
            "name": "https://github.com/pimcore/pimcore/commit/a6821a16ea38086bf6012e682e1743488244bd85",
            "tags": [
              "x_refsource_MISC",
              "x_transferred"
            ],
            "url": "https://github.com/pimcore/pimcore/commit/a6821a16ea38086bf6012e682e1743488244bd85"
          }
        ],
        "title": "CVE Program Container"
      }
    ],
    "cna": {
      "affected": [
        {
          "product": "pimcore",
          "vendor": "pimcore",
          "versions": [
            {
              "status": "affected",
              "version": "\u003e= 11.0.0, \u003c 11.2.4"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "Pimcore is an Open Source Data \u0026 Experience Management Platform. The Pimcore thumbnail generation can be used to flood the server with large files. By changing the file extension or scaling factor of the requested thumbnail, attackers can create files that are much larger in file size than the original. This vulnerability is fixed in 11.2.4."
        }
      ],
      "metrics": [
        {
          "cvssV3_1": {
            "attackComplexity": "LOW",
            "attackVector": "NETWORK",
            "availabilityImpact": "HIGH",
            "baseScore": 7.5,
            "baseSeverity": "HIGH",
            "confidentialityImpact": "NONE",
            "integrityImpact": "NONE",
            "privilegesRequired": "NONE",
            "scope": "UNCHANGED",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
            "version": "3.1"
          }
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-770",
              "description": "CWE-770: Allocation of Resources Without Limits or Throttling",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2024-06-04T14:43:20.796Z",
        "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
        "shortName": "GitHub_M"
      },
      "references": [
        {
          "name": "https://github.com/pimcore/pimcore/security/advisories/GHSA-277c-5vvj-9pwx",
          "tags": [
            "x_refsource_CONFIRM"
          ],
          "url": "https://github.com/pimcore/pimcore/security/advisories/GHSA-277c-5vvj-9pwx"
        },
        {
          "name": "https://github.com/pimcore/pimcore/commit/38af70b3130f16fc27f2aea34e2943d7bdaaba06",
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://github.com/pimcore/pimcore/commit/38af70b3130f16fc27f2aea34e2943d7bdaaba06"
        },
        {
          "name": "https://github.com/pimcore/pimcore/commit/a6821a16ea38086bf6012e682e1743488244bd85",
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://github.com/pimcore/pimcore/commit/a6821a16ea38086bf6012e682e1743488244bd85"
        }
      ],
      "source": {
        "advisory": "GHSA-277c-5vvj-9pwx",
        "discovery": "UNKNOWN"
      },
      "title": "Pimcore Vulnerable to Flooding Server with Thumbnail files"
    }
  },
  "cveMetadata": {
    "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
    "assignerShortName": "GitHub_M",
    "cveId": "CVE-2024-32871",
    "datePublished": "2024-06-04T14:43:20.796Z",
    "dateReserved": "2024-04-19T14:07:11.229Z",
    "dateUpdated": "2024-08-02T02:20:35.642Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1",
  "vulnerability-lookup:meta": {
    "nvd": "{\"cve\":{\"id\":\"CVE-2024-32871\",\"sourceIdentifier\":\"security-advisories@github.com\",\"published\":\"2024-06-04T15:15:45.757\",\"lastModified\":\"2024-11-21T09:15:54.353\",\"vulnStatus\":\"Modified\",\"cveTags\":[],\"descriptions\":[{\"lang\":\"en\",\"value\":\"Pimcore is an Open Source Data \u0026 Experience Management Platform. The Pimcore thumbnail generation can be used to flood the server with large files. By changing the file extension or scaling factor of the requested thumbnail, attackers can create files that are much larger in file size than the original. This vulnerability is fixed in 11.2.4.\"},{\"lang\":\"es\",\"value\":\"Pimcore es una plataforma de gesti\u00f3n de experiencias y datos de c\u00f3digo abierto. La generaci\u00f3n de miniaturas de Pimcore se puede utilizar para inundar el servidor con archivos grandes. Al cambiar la extensi\u00f3n del archivo o el factor de escala de la miniatura solicitada, los atacantes pueden crear archivos cuyo tama\u00f1o sea mucho mayor que el original. Esta vulnerabilidad se solucion\u00f3 en 11.2.4.\"}],\"metrics\":{\"cvssMetricV31\":[{\"source\":\"security-advisories@github.com\",\"type\":\"Secondary\",\"cvssData\":{\"version\":\"3.1\",\"vectorString\":\"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H\",\"baseScore\":7.5,\"baseSeverity\":\"HIGH\",\"attackVector\":\"NETWORK\",\"attackComplexity\":\"LOW\",\"privilegesRequired\":\"NONE\",\"userInteraction\":\"NONE\",\"scope\":\"UNCHANGED\",\"confidentialityImpact\":\"NONE\",\"integrityImpact\":\"NONE\",\"availabilityImpact\":\"HIGH\"},\"exploitabilityScore\":3.9,\"impactScore\":3.6},{\"source\":\"nvd@nist.gov\",\"type\":\"Primary\",\"cvssData\":{\"version\":\"3.1\",\"vectorString\":\"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H\",\"baseScore\":7.5,\"baseSeverity\":\"HIGH\",\"attackVector\":\"NETWORK\",\"attackComplexity\":\"LOW\",\"privilegesRequired\":\"NONE\",\"userInteraction\":\"NONE\",\"scope\":\"UNCHANGED\",\"confidentialityImpact\":\"NONE\",\"integrityImpact\":\"NONE\",\"availabilityImpact\":\"HIGH\"},\"exploitabilityScore\":3.9,\"impactScore\":3.6}]},\"weaknesses\":[{\"source\":\"security-advisories@github.com\",\"type\":\"Secondary\",\"description\":[{\"lang\":\"en\",\"value\":\"CWE-770\"}]},{\"source\":\"nvd@nist.gov\",\"type\":\"Primary\",\"description\":[{\"lang\":\"en\",\"value\":\"CWE-770\"}]}],\"configurations\":[{\"nodes\":[{\"operator\":\"OR\",\"negate\":false,\"cpeMatch\":[{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:pimcore:pimcore:*:*:*:*:*:*:*:*\",\"versionStartIncluding\":\"11.0.0\",\"versionEndExcluding\":\"11.2.4\",\"matchCriteriaId\":\"47F9DB6E-D290-472C-A1D0-1616F7871111\"}]}]}],\"references\":[{\"url\":\"https://github.com/pimcore/pimcore/commit/38af70b3130f16fc27f2aea34e2943d7bdaaba06\",\"source\":\"security-advisories@github.com\",\"tags\":[\"Patch\"]},{\"url\":\"https://github.com/pimcore/pimcore/commit/a6821a16ea38086bf6012e682e1743488244bd85\",\"source\":\"security-advisories@github.com\",\"tags\":[\"Patch\"]},{\"url\":\"https://github.com/pimcore/pimcore/security/advisories/GHSA-277c-5vvj-9pwx\",\"source\":\"security-advisories@github.com\",\"tags\":[\"Exploit\",\"Vendor Advisory\"]},{\"url\":\"https://github.com/pimcore/pimcore/commit/38af70b3130f16fc27f2aea34e2943d7bdaaba06\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\",\"tags\":[\"Patch\"]},{\"url\":\"https://github.com/pimcore/pimcore/commit/a6821a16ea38086bf6012e682e1743488244bd85\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\",\"tags\":[\"Patch\"]},{\"url\":\"https://github.com/pimcore/pimcore/security/advisories/GHSA-277c-5vvj-9pwx\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\",\"tags\":[\"Exploit\",\"Vendor Advisory\"]}]}}",
    "vulnrichment": {
      "containers": "{\"cna\": {\"title\": \"Pimcore Vulnerable to Flooding Server with Thumbnail files\", \"problemTypes\": [{\"descriptions\": [{\"cweId\": \"CWE-770\", \"lang\": \"en\", \"description\": \"CWE-770: Allocation of Resources Without Limits or Throttling\", \"type\": \"CWE\"}]}], \"metrics\": [{\"cvssV3_1\": {\"attackComplexity\": \"LOW\", \"attackVector\": \"NETWORK\", \"availabilityImpact\": \"HIGH\", \"baseScore\": 7.5, \"baseSeverity\": \"HIGH\", \"confidentialityImpact\": \"NONE\", \"integrityImpact\": \"NONE\", \"privilegesRequired\": \"NONE\", \"scope\": \"UNCHANGED\", \"userInteraction\": \"NONE\", \"vectorString\": \"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H\", \"version\": \"3.1\"}}], \"references\": [{\"name\": \"https://github.com/pimcore/pimcore/security/advisories/GHSA-277c-5vvj-9pwx\", \"tags\": [\"x_refsource_CONFIRM\"], \"url\": \"https://github.com/pimcore/pimcore/security/advisories/GHSA-277c-5vvj-9pwx\"}, {\"name\": \"https://github.com/pimcore/pimcore/commit/38af70b3130f16fc27f2aea34e2943d7bdaaba06\", \"tags\": [\"x_refsource_MISC\"], \"url\": \"https://github.com/pimcore/pimcore/commit/38af70b3130f16fc27f2aea34e2943d7bdaaba06\"}, {\"name\": \"https://github.com/pimcore/pimcore/commit/a6821a16ea38086bf6012e682e1743488244bd85\", \"tags\": [\"x_refsource_MISC\"], \"url\": \"https://github.com/pimcore/pimcore/commit/a6821a16ea38086bf6012e682e1743488244bd85\"}], \"affected\": [{\"vendor\": \"pimcore\", \"product\": \"pimcore\", \"versions\": [{\"version\": \"\u003e= 11.0.0, \u003c 11.2.4\", \"status\": \"affected\"}]}], \"providerMetadata\": {\"orgId\": \"a0819718-46f1-4df5-94e2-005712e83aaa\", \"shortName\": \"GitHub_M\", \"dateUpdated\": \"2024-06-04T14:43:20.796Z\"}, \"descriptions\": [{\"lang\": \"en\", \"value\": \"Pimcore is an Open Source Data \u0026 Experience Management Platform. The Pimcore thumbnail generation can be used to flood the server with large files. By changing the file extension or scaling factor of the requested thumbnail, attackers can create files that are much larger in file size than the original. This vulnerability is fixed in 11.2.4.\"}], \"source\": {\"advisory\": \"GHSA-277c-5vvj-9pwx\", \"discovery\": \"UNKNOWN\"}}, \"adp\": [{\"title\": \"CISA ADP Vulnrichment\", \"metrics\": [{\"other\": {\"type\": \"ssvc\", \"content\": {\"id\": \"CVE-2024-32871\", \"role\": \"CISA Coordinator\", \"options\": [{\"Exploitation\": \"none\"}, {\"Automatable\": \"yes\"}, {\"Technical Impact\": \"partial\"}], \"version\": \"2.0.3\", \"timestamp\": \"2024-06-04T15:25:35.260033Z\"}}}], \"affected\": [{\"cpes\": [\"cpe:2.3:a:pimcore:pimcore:11.0.0:*:*:*:*:*:*:*\"], \"vendor\": \"pimcore\", \"product\": \"pimcore\", \"versions\": [{\"status\": \"affected\", \"version\": \"11.0.0\", \"versionType\": \"custom\", \"lessThanOrEqual\": \"11.2.4\"}], \"defaultStatus\": \"unknown\"}], \"providerMetadata\": {\"orgId\": \"134c704f-9b21-4f2e-91b3-4a467353bcc0\", \"shortName\": \"CISA-ADP\", \"dateUpdated\": \"2024-06-04T15:28:32.084Z\"}}]}",
      "cveMetadata": "{\"cveId\": \"CVE-2024-32871\", \"assignerOrgId\": \"a0819718-46f1-4df5-94e2-005712e83aaa\", \"state\": \"PUBLISHED\", \"assignerShortName\": \"GitHub_M\", \"dateReserved\": \"2024-04-19T14:07:11.229Z\", \"datePublished\": \"2024-06-04T14:43:20.796Z\", \"dateUpdated\": \"2024-06-05T05:15:37.005Z\"}",
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }
  }
}

fkie_cve-2024-32871

Vulnerability from fkie_nvd

Published

2024-06-04 15:15

Modified

2024-11-21 09:15

Severity ?

7.5 (High) - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
7.5 (High) - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

Summary

References

URL	Tags
security-advisories@github.com	https://github.com/pimcore/pimcore/commit/38af70b3130f16fc27f2aea34e2943d7bdaaba06	Patch
security-advisories@github.com	https://github.com/pimcore/pimcore/commit/a6821a16ea38086bf6012e682e1743488244bd85	Patch
security-advisories@github.com	https://github.com/pimcore/pimcore/security/advisories/GHSA-277c-5vvj-9pwx	Exploit, Vendor Advisory
af854a3a-2127-422b-91ae-364da2661108	https://github.com/pimcore/pimcore/commit/38af70b3130f16fc27f2aea34e2943d7bdaaba06	Patch
af854a3a-2127-422b-91ae-364da2661108	https://github.com/pimcore/pimcore/commit/a6821a16ea38086bf6012e682e1743488244bd85	Patch
af854a3a-2127-422b-91ae-364da2661108	https://github.com/pimcore/pimcore/security/advisories/GHSA-277c-5vvj-9pwx	Exploit, Vendor Advisory

Impacted products

	Vendor	Product	Version
	pimcore	pimcore	*

JSON

To clipboard

{
  "configurations": [
    {
      "nodes": [
        {
          "cpeMatch": [
            {
              "criteria": "cpe:2.3:a:pimcore:pimcore:*:*:*:*:*:*:*:*",
              "matchCriteriaId": "47F9DB6E-D290-472C-A1D0-1616F7871111",
              "versionEndExcluding": "11.2.4",
              "versionStartIncluding": "11.0.0",
              "vulnerable": true
            }
          ],
          "negate": false,
          "operator": "OR"
        }
      ]
    }
  ],
  "cveTags": [],
  "descriptions": [
    {
      "lang": "en",
      "value": "Pimcore is an Open Source Data \u0026 Experience Management Platform. The Pimcore thumbnail generation can be used to flood the server with large files. By changing the file extension or scaling factor of the requested thumbnail, attackers can create files that are much larger in file size than the original. This vulnerability is fixed in 11.2.4."
    },
    {
      "lang": "es",
      "value": "Pimcore es una plataforma de gesti\u00f3n de experiencias y datos de c\u00f3digo abierto. La generaci\u00f3n de miniaturas de Pimcore se puede utilizar para inundar el servidor con archivos grandes. Al cambiar la extensi\u00f3n del archivo o el factor de escala de la miniatura solicitada, los atacantes pueden crear archivos cuyo tama\u00f1o sea mucho mayor que el original. Esta vulnerabilidad se solucion\u00f3 en 11.2.4."
    }
  ],
  "id": "CVE-2024-32871",
  "lastModified": "2024-11-21T09:15:54.353",
  "metrics": {
    "cvssMetricV31": [
      {
        "cvssData": {
          "attackComplexity": "LOW",
          "attackVector": "NETWORK",
          "availabilityImpact": "HIGH",
          "baseScore": 7.5,
          "baseSeverity": "HIGH",
          "confidentialityImpact": "NONE",
          "integrityImpact": "NONE",
          "privilegesRequired": "NONE",
          "scope": "UNCHANGED",
          "userInteraction": "NONE",
          "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
          "version": "3.1"
        },
        "exploitabilityScore": 3.9,
        "impactScore": 3.6,
        "source": "security-advisories@github.com",
        "type": "Secondary"
      },
      {
        "cvssData": {
          "attackComplexity": "LOW",
          "attackVector": "NETWORK",
          "availabilityImpact": "HIGH",
          "baseScore": 7.5,
          "baseSeverity": "HIGH",
          "confidentialityImpact": "NONE",
          "integrityImpact": "NONE",
          "privilegesRequired": "NONE",
          "scope": "UNCHANGED",
          "userInteraction": "NONE",
          "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
          "version": "3.1"
        },
        "exploitabilityScore": 3.9,
        "impactScore": 3.6,
        "source": "nvd@nist.gov",
        "type": "Primary"
      }
    ]
  },
  "published": "2024-06-04T15:15:45.757",
  "references": [
    {
      "source": "security-advisories@github.com",
      "tags": [
        "Patch"
      ],
      "url": "https://github.com/pimcore/pimcore/commit/38af70b3130f16fc27f2aea34e2943d7bdaaba06"
    },
    {
      "source": "security-advisories@github.com",
      "tags": [
        "Patch"
      ],
      "url": "https://github.com/pimcore/pimcore/commit/a6821a16ea38086bf6012e682e1743488244bd85"
    },
    {
      "source": "security-advisories@github.com",
      "tags": [
        "Exploit",
        "Vendor Advisory"
      ],
      "url": "https://github.com/pimcore/pimcore/security/advisories/GHSA-277c-5vvj-9pwx"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "tags": [
        "Patch"
      ],
      "url": "https://github.com/pimcore/pimcore/commit/38af70b3130f16fc27f2aea34e2943d7bdaaba06"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "tags": [
        "Patch"
      ],
      "url": "https://github.com/pimcore/pimcore/commit/a6821a16ea38086bf6012e682e1743488244bd85"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "tags": [
        "Exploit",
        "Vendor Advisory"
      ],
      "url": "https://github.com/pimcore/pimcore/security/advisories/GHSA-277c-5vvj-9pwx"
    }
  ],
  "sourceIdentifier": "security-advisories@github.com",
  "vulnStatus": "Modified",
  "weaknesses": [
    {
      "description": [
        {
          "lang": "en",
          "value": "CWE-770"
        }
      ],
      "source": "security-advisories@github.com",
      "type": "Secondary"
    },
    {
      "description": [
        {
          "lang": "en",
          "value": "CWE-770"
        }
      ],
      "source": "nvd@nist.gov",
      "type": "Primary"
    }
  ]
}

ghsa-277c-5vvj-9pwx

Vulnerability from github

Published

2024-06-04 17:18

Modified

2024-06-04 17:18

Severity ?

7.5 (High) - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

Summary

Flooding Server with Thumbnail files

Details

1. All Imagick supported Fileformats are served without filtering

The Thumbnail endpoint does not check against any filters what file formats should be served. We can transcode the image in all formats imagemagick supports. With that we can create Files that are much larger in filesize than the original. For example we can create a .txt file for all thumbnails, and we get the text representation of the image.

We can demonstrate that with the pimcore demo:

This Thumbnail is found on the Frontend: https://demo.pimcore.fun/Sample%20Content/Background%20Images/317/image-thumb__317__standardTeaser/11.8c64bd89.avif (12kb Filesize)

We can generate a text representation by simply changing the file extension: https://demo.pimcore.fun/Sample%20Content/Background%20Images/317/image-thumb__317__standardTeaser/11.8c64bd89.txt (4.59mb Filesize)

Other (large) fileformats we tested: ftxt, dip, bmp, bmp3, bmp2, farbfeld, cmyk, cmyka, ycbcr, ycbcra and many more (just check imagemagick supported formats)

With that we can fill the available space of a server really easy.

With formats like yaml or json we can also expose exif data of the original image file - could be a concern with gps data in user uploaded images.

TLDR

we can generate all imagemagick supported formats with all thumbnail configs
all configs were the format is set to "auto (Web-optimized)" are vulnerable
private (exif) data can be exposed.
We can flood the the server with a bunch of files that are a multiple magnitudes of the original thumbnail size (see txt example), for all thumbnail configs, with every image that we find (scriptable)

Proposed Solution

Implement a list of allowed formats that the developer can modify if needed, if a file is requested in another format than listed, pimcore should return either "/bundles/pimcoreadmin/img/filetype-not-supported.svg" or a 404.

yaml pimcore: thumbnails: allowed_formats: ['jpg', 'png', 'avif', 'webp', 'gif']

For non-maintained Pimcore versions (<11), the webserver config could be used to only serve files that should be allowed.

2. Non Web optimized file formats (ORIGINAL, JPG, PNG) creates duplicated files on Server

With Thumbnail config that are configured to serve non web optimized file formats (such as ORIGINAL, jpg, png, print, etc) we can create files with arbitrary file formats that are saved to disk.

For example, the thumbnail configuration "print_backgroundimage" (in the pimcore demo) can be used to create files such as:

https://demo.pimcore.fun/Car%20Images/jaguar/3/image-thumb__3__print_backgroundimage/auto-3095119.aaa https://demo.pimcore.fun/Car%20Images/jaguar/3/image-thumb__3__print_backgroundimage/auto-3095119.aab https://demo.pimcore.fun/Car%20Images/jaguar/3/image-thumb__3__print_backgroundimage/auto-3095119.aac

Each request creates a new copy of the original (jpg) thumbnail file. The server can be flooded with a bunch of files.

Code for this mechanism is here: https://github.com/pimcore/pimcore/blob/11.x/models/Asset/Service.php#L621-L623

Proposed Solution

Use same filtered list from "All Imagick supported Fileformats are served without filtering" and do not copy the arbitrary file to disk, just serve the original image file under the "new" name.

3. Scaling Factor is not limited and can be modified via url

We can scale each thumbnail to an arbitrary factor with @x added to the request url.

For example:

https://demo.pimcore.fun/Sample%20Content/Background%20Images/317/image-thumb__317__standardTeaser/11.8c64bd89@1x.avif https://demo.pimcore.fun/Sample%20Content/Background%20Images/317/image-thumb__317__standardTeaser/11.8c64bd89@1.01x.avif https://demo.pimcore.fun/Sample%20Content/Background%20Images/317/image-thumb__317__standardTeaser/11.8c64bd89@1.08x.avif https://demo.pimcore.fun/Sample%20Content/Background%20Images/317/image-thumb__317__standardTeaser/11.8c64bd89@2x.avif

If the thumbnail config allows "forced" resizing, we could also do something like:

https://demo.pimcore.fun/Sample%20Content/Background%20Images/317/image-thumb__317__standardTeaser/11.8c64bd89@192x.avif

Each request will create a new file, flooding the server with more files. If the factor is big enough, we can also max out the CPU with a single request for quite some time (only really a problem with "forced")

In combination with the first vulnerability we can also generate (large) text files for scaled images:

https://demo.pimcore.fun/Sample%20Content/Background%20Images/317/image-thumb__317__standardTeaser/11.8c64bd89@4x.txt (6.6 mb filesize)

Proposed solution

Limit scale factors with an allowlist:

yaml pimcore: thumbnails: allowed_scale_factors: [1.25, 1.5, 2, 4]

Impact

All Pimcore Instances are affected, as far as we can see, also all versions

Show details on source website

JSON

To clipboard

{
  "affected": [
    {
      "package": {
        "ecosystem": "Packagist",
        "name": "pimcore/pimcore"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "11.0.0"
            },
            {
              "fixed": "11.2.4"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2024-32871"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-770"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2024-06-04T17:18:22Z",
    "nvd_published_at": "2024-06-04T15:15:45Z",
    "severity": "HIGH"
  },
  "details": "# Details\n## 1. All Imagick supported Fileformats are served without filtering\n\nThe Thumbnail endpoint does not check against any filters what file formats should be served. We can transcode the image in all formats imagemagick supports. With that we can create Files that are much larger in filesize than the original. For example we can create a .txt file for all thumbnails, and we get the text representation of the image.\n\nWe can demonstrate that with the pimcore demo: \n\nThis Thumbnail is found on the Frontend: https://demo.pimcore.fun/Sample%20Content/Background%20Images/317/image-thumb__317__standardTeaser/11.8c64bd89.avif (12kb Filesize)\n\nWe can generate a text representation by simply changing the file extension: https://demo.pimcore.fun/Sample%20Content/Background%20Images/317/image-thumb__317__standardTeaser/11.8c64bd89.txt (4.59mb Filesize)\n\nOther (large) fileformats we tested: ftxt, dip, bmp, bmp3, bmp2, farbfeld, cmyk, cmyka, ycbcr, ycbcra and many more (just check imagemagick supported formats)\n\nWith that we can fill the available space of a server really easy.\n\nWith formats like yaml or json we can also expose exif data of the original image file - could be a concern with gps data in user uploaded images.\n\n### TLDR\n\n- we can generate all imagemagick supported formats with all thumbnail configs\n- all configs were the format is set to \"auto (Web-optimized)\" are vulnerable\n- private (exif) data can be exposed.\n- We can flood the the server with a bunch of files that are a multiple magnitudes of the original thumbnail size (see txt example), for all thumbnail configs, with every image that we find (scriptable)\n\n### Proposed Solution\n\nImplement a list of allowed formats that the developer can modify if needed, if a file is requested in another format than listed, pimcore should return either \"/bundles/pimcoreadmin/img/filetype-not-supported.svg\" or a 404.\n\n```yaml\npimcore:\n    thumbnails:\n    \tallowed_formats: [\u0027jpg\u0027, \u0027png\u0027, \u0027avif\u0027, \u0027webp\u0027, \u0027gif\u0027]\n```\n\nFor non-maintained Pimcore versions (\u003c11), the webserver config could be used to only serve files that should be allowed. \n\n## 2. Non Web optimized file formats (ORIGINAL, JPG, PNG)  creates duplicated files on Server\n\nWith Thumbnail config that are configured to serve non web optimized file formats (such as ORIGINAL, jpg, png, print, etc) we can create files with arbitrary file formats that are saved to disk.\n\nFor example, the thumbnail configuration \"print_backgroundimage\" (in the pimcore demo) can be used to create files such as: \n\nhttps://demo.pimcore.fun/Car%20Images/jaguar/3/image-thumb__3__print_backgroundimage/auto-3095119.aaa\nhttps://demo.pimcore.fun/Car%20Images/jaguar/3/image-thumb__3__print_backgroundimage/auto-3095119.aab\nhttps://demo.pimcore.fun/Car%20Images/jaguar/3/image-thumb__3__print_backgroundimage/auto-3095119.aac \n\nEach request creates a new copy of the original (jpg) thumbnail file. The server can be flooded with a bunch of files.\n\nCode for this mechanism is here: https://github.com/pimcore/pimcore/blob/11.x/models/Asset/Service.php#L621-L623\n\n### Proposed Solution\n\nUse same filtered list from \"All Imagick supported Fileformats are served without filtering\" and do not copy the arbitrary file to disk, just serve the original image file under the \"new\" name.\n\n## 3. Scaling Factor is not limited and can be modified via url\n\nWe can scale each thumbnail to an arbitrary factor with @\u003cfloat\u003ex added to the request url.\n\nFor example: \n\nhttps://demo.pimcore.fun/Sample%20Content/Background%20Images/317/image-thumb__317__standardTeaser/11.8c64bd89@1x.avif\nhttps://demo.pimcore.fun/Sample%20Content/Background%20Images/317/image-thumb__317__standardTeaser/11.8c64bd89@1.01x.avif\nhttps://demo.pimcore.fun/Sample%20Content/Background%20Images/317/image-thumb__317__standardTeaser/11.8c64bd89@1.08x.avif\nhttps://demo.pimcore.fun/Sample%20Content/Background%20Images/317/image-thumb__317__standardTeaser/11.8c64bd89@2x.avif\n\nIf the thumbnail config allows \"forced\" resizing, we could also do something like:\n\nhttps://demo.pimcore.fun/Sample%20Content/Background%20Images/317/image-thumb__317__standardTeaser/11.8c64bd89@192x.avif  \n\nEach request will create a new file, flooding the server with more files.\nIf the factor is big enough, we can also max out the CPU with a single request for quite some time (only really a problem with \"forced\")\n\nIn combination with the first vulnerability we can also generate (large) text files for scaled images:\n\nhttps://demo.pimcore.fun/Sample%20Content/Background%20Images/317/image-thumb__317__standardTeaser/11.8c64bd89@4x.txt (6.6 mb filesize)\n\n### Proposed solution\n\nLimit scale factors with an allowlist:\n\n```yaml\npimcore:\n    thumbnails:\n    \tallowed_scale_factors: [1.25, 1.5, 2, 4]\n```\n\n\n# Impact\nAll Pimcore Instances are affected, as far as we can see, also all versions",
  "id": "GHSA-277c-5vvj-9pwx",
  "modified": "2024-06-04T17:18:22Z",
  "published": "2024-06-04T17:18:22Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/pimcore/pimcore/security/advisories/GHSA-277c-5vvj-9pwx"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-32871"
    },
    {
      "type": "WEB",
      "url": "https://github.com/pimcore/pimcore/commit/38af70b3130f16fc27f2aea34e2943d7bdaaba06"
    },
    {
      "type": "WEB",
      "url": "https://github.com/pimcore/pimcore/commit/a6821a16ea38086bf6012e682e1743488244bd85"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/pimcore/pimcore"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
      "type": "CVSS_V3"
    }
  ],
  "summary": "Flooding Server with Thumbnail files"
}

gsd-2024-32871

Vulnerability from gsd

Modified

2024-04-20 05:02

Details

** RESERVED ** This candidate has been reserved by an organization or individual that will use it when announcing a new security problem. When the candidate has been publicized, the details for this candidate will be provided.

Aliases

CVE-2024-32871

JSON

To clipboard

{
  "gsd": {
    "metadata": {
      "exploitCode": "unknown",
      "remediation": "unknown",
      "reportConfidence": "confirmed",
      "type": "vulnerability"
    },
    "osvSchema": {
      "aliases": [
        "CVE-2024-32871"
      ],
      "id": "GSD-2024-32871",
      "modified": "2024-04-20T05:02:00.339472Z",
      "schema_version": "1.4.0"
    }
  },
  "namespaces": {
    "cve.org": {
      "CVE_data_meta": {
        "ASSIGNER": "cve@mitre.org",
        "ID": "CVE-2024-32871",
        "STATE": "RESERVED"
      },
      "data_format": "MITRE",
      "data_type": "CVE",
      "data_version": "4.0",
      "description": {
        "description_data": [
          {
            "lang": "eng",
            "value": "** RESERVED ** This candidate has been reserved by an organization or individual that will use it when announcing a new security problem. When the candidate has been publicized, the details for this candidate will be provided."
          }
        ]
      }
    }
  }
}

Sightings

Author	Source	Type	Date

Nomenclature

Seen: The vulnerability was mentioned, discussed, or seen somewhere by the user.
Confirmed: The vulnerability is confirmed from an analyst perspective.
Exploited: This vulnerability was exploited and seen by the user reporting the sighting.
Patched: This vulnerability was successfully patched by the user reporting the sighting.
Not exploited: This vulnerability was not exploited or seen by the user reporting the sighting.
Not confirmed: The user expresses doubt about the veracity of the vulnerability.
Not patched: This vulnerability was not successfully patched by the user reporting the sighting.

Action not permitted

CVE-2024-32871 (GCVE-0-2024-32871)

Vulnerability from cvelistv5

fkie_cve-2024-32871

Vulnerability from fkie_nvd

ghsa-277c-5vvj-9pwx

Vulnerability from github

Details

1. All Imagick supported Fileformats are served without filtering

TLDR

Proposed Solution

2. Non Web optimized file formats (ORIGINAL, JPG, PNG) creates duplicated files on Server

Proposed Solution

3. Scaling Factor is not limited and can be modified via url

Proposed solution

Impact

gsd-2024-32871

Vulnerability from gsd

Tags

Sightings

Nomenclature