CVE-2023-34448 (GCVE-0-2023-34448)

Vulnerability from cvelistv5

Published

2023-06-14 22:06

Modified

2024-12-18 21:38

Severity ?

8.8 (High) - CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

CWE

CWE-20 - Improper Input Validation
CWE-1336 - Improper Neutralization of Special Elements Used in a Template Engine

Summary

Grav is a flat-file content management system. Prior to version 1.7.42, the patch for CVE-2022-2073, a server-side template injection vulnerability in Grav leveraging the default `filter()` function, did not block other built-in functions exposed by Twig's Core Extension that could be used to invoke arbitrary unsafe functions, thereby allowing for remote code execution. A patch in version 1.74.2 overrides the built-in Twig `map()` and `reduce()` filter functions in `system/src/Grav/Common/Twig/Extension/GravExtension.php` to validate the argument passed to the filter in `$arrow`.

References

►

URL

Tags

security-advisories@github.com	https://github.com/getgrav/grav/commit/8c2c1cb72611a399f13423fc6d0e1d998c03e5c8	Patch, Vendor Advisory
security-advisories@github.com	https://github.com/getgrav/grav/security/advisories/GHSA-whr7-m3f8-mpm8	Vendor Advisory
security-advisories@github.com	https://github.com/twigphp/Twig/blob/v1.44.7/src/Environment.php#L148	Vendor Advisory
security-advisories@github.com	https://huntr.dev/bounties/3ef640e6-9e25-4ecb-8ec1-64311d63fe66/	Exploit, Patch, Third Party Advisory
security-advisories@github.com	https://www.github.com/getgrav/grav/commit/9d6a2dba09fd4e56f5cdfb9a399caea355bfeb83	Exploit, Mitigation, Vendor Advisory
af854a3a-2127-422b-91ae-364da2661108	https://github.com/getgrav/grav/commit/8c2c1cb72611a399f13423fc6d0e1d998c03e5c8	Patch, Vendor Advisory
af854a3a-2127-422b-91ae-364da2661108	https://github.com/getgrav/grav/security/advisories/GHSA-whr7-m3f8-mpm8	Vendor Advisory
af854a3a-2127-422b-91ae-364da2661108	https://github.com/twigphp/Twig/blob/v1.44.7/src/Environment.php#L148	Vendor Advisory
af854a3a-2127-422b-91ae-364da2661108	https://huntr.dev/bounties/3ef640e6-9e25-4ecb-8ec1-64311d63fe66/	Exploit, Patch, Third Party Advisory
af854a3a-2127-422b-91ae-364da2661108	https://www.github.com/getgrav/grav/commit/9d6a2dba09fd4e56f5cdfb9a399caea355bfeb83	Exploit, Mitigation, Vendor Advisory

Impacted products

	Vendor	Product	Version
	getgrav	grav	Version: < 1.7.42

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "providerMetadata": {
          "dateUpdated": "2024-08-02T16:10:06.973Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "name": "https://github.com/getgrav/grav/security/advisories/GHSA-whr7-m3f8-mpm8",
            "tags": [
              "x_refsource_CONFIRM",
              "x_transferred"
            ],
            "url": "https://github.com/getgrav/grav/security/advisories/GHSA-whr7-m3f8-mpm8"
          },
          {
            "name": "https://github.com/getgrav/grav/commit/8c2c1cb72611a399f13423fc6d0e1d998c03e5c8",
            "tags": [
              "x_refsource_MISC",
              "x_transferred"
            ],
            "url": "https://github.com/getgrav/grav/commit/8c2c1cb72611a399f13423fc6d0e1d998c03e5c8"
          },
          {
            "name": "https://github.com/twigphp/Twig/blob/v1.44.7/src/Environment.php#L148",
            "tags": [
              "x_refsource_MISC",
              "x_transferred"
            ],
            "url": "https://github.com/twigphp/Twig/blob/v1.44.7/src/Environment.php#L148"
          },
          {
            "name": "https://huntr.dev/bounties/3ef640e6-9e25-4ecb-8ec1-64311d63fe66/",
            "tags": [
              "x_refsource_MISC",
              "x_transferred"
            ],
            "url": "https://huntr.dev/bounties/3ef640e6-9e25-4ecb-8ec1-64311d63fe66/"
          },
          {
            "name": "https://www.github.com/getgrav/grav/commit/9d6a2dba09fd4e56f5cdfb9a399caea355bfeb83",
            "tags": [
              "x_refsource_MISC",
              "x_transferred"
            ],
            "url": "https://www.github.com/getgrav/grav/commit/9d6a2dba09fd4e56f5cdfb9a399caea355bfeb83"
          }
        ],
        "title": "CVE Program Container"
      },
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2023-34448",
                "options": [
                  {
                    "Exploitation": "poc"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "total"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2024-12-18T21:38:33.590208Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2024-12-18T21:38:44.207Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "product": "grav",
          "vendor": "getgrav",
          "versions": [
            {
              "status": "affected",
              "version": "\u003c 1.7.42"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "Grav is a flat-file content management system. Prior to version 1.7.42, the patch for CVE-2022-2073, a server-side template injection vulnerability in Grav leveraging the default `filter()` function, did not block other built-in functions exposed by Twig\u0027s Core Extension that could be used to invoke arbitrary unsafe functions, thereby allowing for remote code execution. A patch in version 1.74.2 overrides the built-in Twig `map()` and `reduce()` filter functions in `system/src/Grav/Common/Twig/Extension/GravExtension.php` to validate the argument passed to the filter in `$arrow`."
        }
      ],
      "metrics": [
        {
          "cvssV3_1": {
            "attackComplexity": "LOW",
            "attackVector": "NETWORK",
            "availabilityImpact": "HIGH",
            "baseScore": 8.8,
            "baseSeverity": "HIGH",
            "confidentialityImpact": "HIGH",
            "integrityImpact": "HIGH",
            "privilegesRequired": "LOW",
            "scope": "UNCHANGED",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
            "version": "3.1"
          }
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-20",
              "description": "CWE-20: Improper Input Validation",
              "lang": "en",
              "type": "CWE"
            }
          ]
        },
        {
          "descriptions": [
            {
              "cweId": "CWE-1336",
              "description": "CWE-1336: Improper Neutralization of Special Elements Used in a Template Engine",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2023-06-14T22:16:40.551Z",
        "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
        "shortName": "GitHub_M"
      },
      "references": [
        {
          "name": "https://github.com/getgrav/grav/security/advisories/GHSA-whr7-m3f8-mpm8",
          "tags": [
            "x_refsource_CONFIRM"
          ],
          "url": "https://github.com/getgrav/grav/security/advisories/GHSA-whr7-m3f8-mpm8"
        },
        {
          "name": "https://github.com/getgrav/grav/commit/8c2c1cb72611a399f13423fc6d0e1d998c03e5c8",
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://github.com/getgrav/grav/commit/8c2c1cb72611a399f13423fc6d0e1d998c03e5c8"
        },
        {
          "name": "https://github.com/twigphp/Twig/blob/v1.44.7/src/Environment.php#L148",
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://github.com/twigphp/Twig/blob/v1.44.7/src/Environment.php#L148"
        },
        {
          "name": "https://huntr.dev/bounties/3ef640e6-9e25-4ecb-8ec1-64311d63fe66/",
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://huntr.dev/bounties/3ef640e6-9e25-4ecb-8ec1-64311d63fe66/"
        },
        {
          "name": "https://www.github.com/getgrav/grav/commit/9d6a2dba09fd4e56f5cdfb9a399caea355bfeb83",
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://www.github.com/getgrav/grav/commit/9d6a2dba09fd4e56f5cdfb9a399caea355bfeb83"
        }
      ],
      "source": {
        "advisory": "GHSA-whr7-m3f8-mpm8",
        "discovery": "UNKNOWN"
      },
      "title": "Grav Server-side Template Injection (SSTI) via Twig Default Filters"
    }
  },
  "cveMetadata": {
    "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
    "assignerShortName": "GitHub_M",
    "cveId": "CVE-2023-34448",
    "datePublished": "2023-06-14T22:06:01.338Z",
    "dateReserved": "2023-06-06T16:16:53.558Z",
    "dateUpdated": "2024-12-18T21:38:44.207Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1",
  "vulnerability-lookup:meta": {
    "nvd": "{\"cve\":{\"id\":\"CVE-2023-34448\",\"sourceIdentifier\":\"security-advisories@github.com\",\"published\":\"2023-06-14T23:15:11.107\",\"lastModified\":\"2024-11-21T08:07:16.537\",\"vulnStatus\":\"Modified\",\"cveTags\":[],\"descriptions\":[{\"lang\":\"en\",\"value\":\"Grav is a flat-file content management system. Prior to version 1.7.42, the patch for CVE-2022-2073, a server-side template injection vulnerability in Grav leveraging the default `filter()` function, did not block other built-in functions exposed by Twig\u0027s Core Extension that could be used to invoke arbitrary unsafe functions, thereby allowing for remote code execution. A patch in version 1.74.2 overrides the built-in Twig `map()` and `reduce()` filter functions in `system/src/Grav/Common/Twig/Extension/GravExtension.php` to validate the argument passed to the filter in `$arrow`.\"},{\"lang\":\"es\",\"value\":\"Grav es un sistema de gesti\u00f3n de contenidos de archivos planos. Antes de la versi\u00f3n 1.7.42, el parche para CVE-2022-2073, una vulnerabilidad de inyecci\u00f3n de plantillas del lado del servidor en Gray aprovechando la funci\u00f3n predeterminada \\\"filter()\\\", no bloqueaba otras funciones integradas expuestas por la extensi\u00f3n principal de Twig que pod\u00edan utilizarse para invocar funciones no seguras arbitrarias, permitiendo as\u00ed la ejecuci\u00f3n remota de c\u00f3digo. Un parche en la versi\u00f3n 1.74.2 anula las funciones de filtro incorporadas de Twig \\\"map()\\\" y \\\"reduce()\\\" en \\\"system/src/Grav/Common/Twig/Extension/GravExtension.php\\\" para validar el argumento pasado al filtro en \\\"$arrow\\\". \"}],\"metrics\":{\"cvssMetricV31\":[{\"source\":\"security-advisories@github.com\",\"type\":\"Secondary\",\"cvssData\":{\"version\":\"3.1\",\"vectorString\":\"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H\",\"baseScore\":8.8,\"baseSeverity\":\"HIGH\",\"attackVector\":\"NETWORK\",\"attackComplexity\":\"LOW\",\"privilegesRequired\":\"LOW\",\"userInteraction\":\"NONE\",\"scope\":\"UNCHANGED\",\"confidentialityImpact\":\"HIGH\",\"integrityImpact\":\"HIGH\",\"availabilityImpact\":\"HIGH\"},\"exploitabilityScore\":2.8,\"impactScore\":5.9},{\"source\":\"nvd@nist.gov\",\"type\":\"Primary\",\"cvssData\":{\"version\":\"3.1\",\"vectorString\":\"CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H\",\"baseScore\":7.2,\"baseSeverity\":\"HIGH\",\"attackVector\":\"NETWORK\",\"attackComplexity\":\"LOW\",\"privilegesRequired\":\"HIGH\",\"userInteraction\":\"NONE\",\"scope\":\"UNCHANGED\",\"confidentialityImpact\":\"HIGH\",\"integrityImpact\":\"HIGH\",\"availabilityImpact\":\"HIGH\"},\"exploitabilityScore\":1.2,\"impactScore\":5.9}]},\"weaknesses\":[{\"source\":\"security-advisories@github.com\",\"type\":\"Secondary\",\"description\":[{\"lang\":\"en\",\"value\":\"CWE-20\"},{\"lang\":\"en\",\"value\":\"CWE-1336\"}]},{\"source\":\"nvd@nist.gov\",\"type\":\"Primary\",\"description\":[{\"lang\":\"en\",\"value\":\"CWE-94\"}]}],\"configurations\":[{\"nodes\":[{\"operator\":\"OR\",\"negate\":false,\"cpeMatch\":[{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:getgrav:grav:*:*:*:*:*:*:*:*\",\"versionEndExcluding\":\"1.7.42\",\"matchCriteriaId\":\"758F84B9-A2EC-45D8-86DD-B309DB02B9AE\"}]}]}],\"references\":[{\"url\":\"https://github.com/getgrav/grav/commit/8c2c1cb72611a399f13423fc6d0e1d998c03e5c8\",\"source\":\"security-advisories@github.com\",\"tags\":[\"Patch\",\"Vendor Advisory\"]},{\"url\":\"https://github.com/getgrav/grav/security/advisories/GHSA-whr7-m3f8-mpm8\",\"source\":\"security-advisories@github.com\",\"tags\":[\"Vendor Advisory\"]},{\"url\":\"https://github.com/twigphp/Twig/blob/v1.44.7/src/Environment.php#L148\",\"source\":\"security-advisories@github.com\",\"tags\":[\"Vendor Advisory\"]},{\"url\":\"https://huntr.dev/bounties/3ef640e6-9e25-4ecb-8ec1-64311d63fe66/\",\"source\":\"security-advisories@github.com\",\"tags\":[\"Exploit\",\"Patch\",\"Third Party Advisory\"]},{\"url\":\"https://www.github.com/getgrav/grav/commit/9d6a2dba09fd4e56f5cdfb9a399caea355bfeb83\",\"source\":\"security-advisories@github.com\",\"tags\":[\"Exploit\",\"Mitigation\",\"Vendor Advisory\"]},{\"url\":\"https://github.com/getgrav/grav/commit/8c2c1cb72611a399f13423fc6d0e1d998c03e5c8\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\",\"tags\":[\"Patch\",\"Vendor Advisory\"]},{\"url\":\"https://github.com/getgrav/grav/security/advisories/GHSA-whr7-m3f8-mpm8\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\",\"tags\":[\"Vendor Advisory\"]},{\"url\":\"https://github.com/twigphp/Twig/blob/v1.44.7/src/Environment.php#L148\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\",\"tags\":[\"Vendor Advisory\"]},{\"url\":\"https://huntr.dev/bounties/3ef640e6-9e25-4ecb-8ec1-64311d63fe66/\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\",\"tags\":[\"Exploit\",\"Patch\",\"Third Party Advisory\"]},{\"url\":\"https://www.github.com/getgrav/grav/commit/9d6a2dba09fd4e56f5cdfb9a399caea355bfeb83\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\",\"tags\":[\"Exploit\",\"Mitigation\",\"Vendor Advisory\"]}]}}",
    "vulnrichment": {
      "containers": "{\"adp\": [{\"title\": \"CVE Program Container\", \"references\": [{\"url\": \"https://github.com/getgrav/grav/security/advisories/GHSA-whr7-m3f8-mpm8\", \"name\": \"https://github.com/getgrav/grav/security/advisories/GHSA-whr7-m3f8-mpm8\", \"tags\": [\"x_refsource_CONFIRM\", \"x_transferred\"]}, {\"url\": \"https://github.com/getgrav/grav/commit/8c2c1cb72611a399f13423fc6d0e1d998c03e5c8\", \"name\": \"https://github.com/getgrav/grav/commit/8c2c1cb72611a399f13423fc6d0e1d998c03e5c8\", \"tags\": [\"x_refsource_MISC\", \"x_transferred\"]}, {\"url\": \"https://github.com/twigphp/Twig/blob/v1.44.7/src/Environment.php#L148\", \"name\": \"https://github.com/twigphp/Twig/blob/v1.44.7/src/Environment.php#L148\", \"tags\": [\"x_refsource_MISC\", \"x_transferred\"]}, {\"url\": \"https://huntr.dev/bounties/3ef640e6-9e25-4ecb-8ec1-64311d63fe66/\", \"name\": \"https://huntr.dev/bounties/3ef640e6-9e25-4ecb-8ec1-64311d63fe66/\", \"tags\": [\"x_refsource_MISC\", \"x_transferred\"]}, {\"url\": \"https://www.github.com/getgrav/grav/commit/9d6a2dba09fd4e56f5cdfb9a399caea355bfeb83\", \"name\": \"https://www.github.com/getgrav/grav/commit/9d6a2dba09fd4e56f5cdfb9a399caea355bfeb83\", \"tags\": [\"x_refsource_MISC\", \"x_transferred\"]}], \"providerMetadata\": {\"orgId\": \"af854a3a-2127-422b-91ae-364da2661108\", \"shortName\": \"CVE\", \"dateUpdated\": \"2024-08-02T16:10:06.973Z\"}}, {\"title\": \"CISA ADP Vulnrichment\", \"metrics\": [{\"other\": {\"type\": \"ssvc\", \"content\": {\"id\": \"CVE-2023-34448\", \"role\": \"CISA Coordinator\", \"options\": [{\"Exploitation\": \"poc\"}, {\"Automatable\": \"no\"}, {\"Technical Impact\": \"total\"}], \"version\": \"2.0.3\", \"timestamp\": \"2024-12-18T21:38:33.590208Z\"}}}], \"providerMetadata\": {\"orgId\": \"134c704f-9b21-4f2e-91b3-4a467353bcc0\", \"shortName\": \"CISA-ADP\", \"dateUpdated\": \"2024-12-18T21:38:41.130Z\"}}], \"cna\": {\"title\": \"Grav Server-side Template Injection (SSTI) via Twig Default Filters\", \"source\": {\"advisory\": \"GHSA-whr7-m3f8-mpm8\", \"discovery\": \"UNKNOWN\"}, \"metrics\": [{\"cvssV3_1\": {\"scope\": \"UNCHANGED\", \"version\": \"3.1\", \"baseScore\": 8.8, \"attackVector\": \"NETWORK\", \"baseSeverity\": \"HIGH\", \"vectorString\": \"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H\", \"integrityImpact\": \"HIGH\", \"userInteraction\": \"NONE\", \"attackComplexity\": \"LOW\", \"availabilityImpact\": \"HIGH\", \"privilegesRequired\": \"LOW\", \"confidentialityImpact\": \"HIGH\"}}], \"affected\": [{\"vendor\": \"getgrav\", \"product\": \"grav\", \"versions\": [{\"status\": \"affected\", \"version\": \"\u003c 1.7.42\"}]}], \"references\": [{\"url\": \"https://github.com/getgrav/grav/security/advisories/GHSA-whr7-m3f8-mpm8\", \"name\": \"https://github.com/getgrav/grav/security/advisories/GHSA-whr7-m3f8-mpm8\", \"tags\": [\"x_refsource_CONFIRM\"]}, {\"url\": \"https://github.com/getgrav/grav/commit/8c2c1cb72611a399f13423fc6d0e1d998c03e5c8\", \"name\": \"https://github.com/getgrav/grav/commit/8c2c1cb72611a399f13423fc6d0e1d998c03e5c8\", \"tags\": [\"x_refsource_MISC\"]}, {\"url\": \"https://github.com/twigphp/Twig/blob/v1.44.7/src/Environment.php#L148\", \"name\": \"https://github.com/twigphp/Twig/blob/v1.44.7/src/Environment.php#L148\", \"tags\": [\"x_refsource_MISC\"]}, {\"url\": \"https://huntr.dev/bounties/3ef640e6-9e25-4ecb-8ec1-64311d63fe66/\", \"name\": \"https://huntr.dev/bounties/3ef640e6-9e25-4ecb-8ec1-64311d63fe66/\", \"tags\": [\"x_refsource_MISC\"]}, {\"url\": \"https://www.github.com/getgrav/grav/commit/9d6a2dba09fd4e56f5cdfb9a399caea355bfeb83\", \"name\": \"https://www.github.com/getgrav/grav/commit/9d6a2dba09fd4e56f5cdfb9a399caea355bfeb83\", \"tags\": [\"x_refsource_MISC\"]}], \"descriptions\": [{\"lang\": \"en\", \"value\": \"Grav is a flat-file content management system. Prior to version 1.7.42, the patch for CVE-2022-2073, a server-side template injection vulnerability in Grav leveraging the default `filter()` function, did not block other built-in functions exposed by Twig\u0027s Core Extension that could be used to invoke arbitrary unsafe functions, thereby allowing for remote code execution. A patch in version 1.74.2 overrides the built-in Twig `map()` and `reduce()` filter functions in `system/src/Grav/Common/Twig/Extension/GravExtension.php` to validate the argument passed to the filter in `$arrow`.\"}], \"problemTypes\": [{\"descriptions\": [{\"lang\": \"en\", \"type\": \"CWE\", \"cweId\": \"CWE-20\", \"description\": \"CWE-20: Improper Input Validation\"}]}, {\"descriptions\": [{\"lang\": \"en\", \"type\": \"CWE\", \"cweId\": \"CWE-1336\", \"description\": \"CWE-1336: Improper Neutralization of Special Elements Used in a Template Engine\"}]}], \"providerMetadata\": {\"orgId\": \"a0819718-46f1-4df5-94e2-005712e83aaa\", \"shortName\": \"GitHub_M\", \"dateUpdated\": \"2023-06-14T22:16:40.551Z\"}}}",
      "cveMetadata": "{\"cveId\": \"CVE-2023-34448\", \"state\": \"PUBLISHED\", \"dateUpdated\": \"2024-12-18T21:38:44.207Z\", \"dateReserved\": \"2023-06-06T16:16:53.558Z\", \"assignerOrgId\": \"a0819718-46f1-4df5-94e2-005712e83aaa\", \"datePublished\": \"2023-06-14T22:06:01.338Z\", \"assignerShortName\": \"GitHub_M\"}",
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }
  }
}

fkie_cve-2023-34448

Vulnerability from fkie_nvd

Published

2023-06-14 23:15

Modified

2024-11-21 08:07

Severity ?

8.8 (High) - CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
7.2 (High) - CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H

Summary

References

URL	Tags
security-advisories@github.com	https://github.com/getgrav/grav/commit/8c2c1cb72611a399f13423fc6d0e1d998c03e5c8	Patch, Vendor Advisory
security-advisories@github.com	https://github.com/getgrav/grav/security/advisories/GHSA-whr7-m3f8-mpm8	Vendor Advisory
security-advisories@github.com	https://github.com/twigphp/Twig/blob/v1.44.7/src/Environment.php#L148	Vendor Advisory
security-advisories@github.com	https://huntr.dev/bounties/3ef640e6-9e25-4ecb-8ec1-64311d63fe66/	Exploit, Patch, Third Party Advisory
security-advisories@github.com	https://www.github.com/getgrav/grav/commit/9d6a2dba09fd4e56f5cdfb9a399caea355bfeb83	Exploit, Mitigation, Vendor Advisory
af854a3a-2127-422b-91ae-364da2661108	https://github.com/getgrav/grav/commit/8c2c1cb72611a399f13423fc6d0e1d998c03e5c8	Patch, Vendor Advisory
af854a3a-2127-422b-91ae-364da2661108	https://github.com/getgrav/grav/security/advisories/GHSA-whr7-m3f8-mpm8	Vendor Advisory
af854a3a-2127-422b-91ae-364da2661108	https://github.com/twigphp/Twig/blob/v1.44.7/src/Environment.php#L148	Vendor Advisory
af854a3a-2127-422b-91ae-364da2661108	https://huntr.dev/bounties/3ef640e6-9e25-4ecb-8ec1-64311d63fe66/	Exploit, Patch, Third Party Advisory
af854a3a-2127-422b-91ae-364da2661108	https://www.github.com/getgrav/grav/commit/9d6a2dba09fd4e56f5cdfb9a399caea355bfeb83	Exploit, Mitigation, Vendor Advisory

Impacted products

	Vendor	Product	Version
	getgrav	grav	*

JSON

To clipboard

{
  "configurations": [
    {
      "nodes": [
        {
          "cpeMatch": [
            {
              "criteria": "cpe:2.3:a:getgrav:grav:*:*:*:*:*:*:*:*",
              "matchCriteriaId": "758F84B9-A2EC-45D8-86DD-B309DB02B9AE",
              "versionEndExcluding": "1.7.42",
              "vulnerable": true
            }
          ],
          "negate": false,
          "operator": "OR"
        }
      ]
    }
  ],
  "cveTags": [],
  "descriptions": [
    {
      "lang": "en",
      "value": "Grav is a flat-file content management system. Prior to version 1.7.42, the patch for CVE-2022-2073, a server-side template injection vulnerability in Grav leveraging the default `filter()` function, did not block other built-in functions exposed by Twig\u0027s Core Extension that could be used to invoke arbitrary unsafe functions, thereby allowing for remote code execution. A patch in version 1.74.2 overrides the built-in Twig `map()` and `reduce()` filter functions in `system/src/Grav/Common/Twig/Extension/GravExtension.php` to validate the argument passed to the filter in `$arrow`."
    },
    {
      "lang": "es",
      "value": "Grav es un sistema de gesti\u00f3n de contenidos de archivos planos. Antes de la versi\u00f3n 1.7.42, el parche para CVE-2022-2073, una vulnerabilidad de inyecci\u00f3n de plantillas del lado del servidor en Gray aprovechando la funci\u00f3n predeterminada \"filter()\", no bloqueaba otras funciones integradas expuestas por la extensi\u00f3n principal de Twig que pod\u00edan utilizarse para invocar funciones no seguras arbitrarias, permitiendo as\u00ed la ejecuci\u00f3n remota de c\u00f3digo. Un parche en la versi\u00f3n 1.74.2 anula las funciones de filtro incorporadas de Twig \"map()\" y \"reduce()\" en \"system/src/Grav/Common/Twig/Extension/GravExtension.php\" para validar el argumento pasado al filtro en \"$arrow\". "
    }
  ],
  "id": "CVE-2023-34448",
  "lastModified": "2024-11-21T08:07:16.537",
  "metrics": {
    "cvssMetricV31": [
      {
        "cvssData": {
          "attackComplexity": "LOW",
          "attackVector": "NETWORK",
          "availabilityImpact": "HIGH",
          "baseScore": 8.8,
          "baseSeverity": "HIGH",
          "confidentialityImpact": "HIGH",
          "integrityImpact": "HIGH",
          "privilegesRequired": "LOW",
          "scope": "UNCHANGED",
          "userInteraction": "NONE",
          "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
          "version": "3.1"
        },
        "exploitabilityScore": 2.8,
        "impactScore": 5.9,
        "source": "security-advisories@github.com",
        "type": "Secondary"
      },
      {
        "cvssData": {
          "attackComplexity": "LOW",
          "attackVector": "NETWORK",
          "availabilityImpact": "HIGH",
          "baseScore": 7.2,
          "baseSeverity": "HIGH",
          "confidentialityImpact": "HIGH",
          "integrityImpact": "HIGH",
          "privilegesRequired": "HIGH",
          "scope": "UNCHANGED",
          "userInteraction": "NONE",
          "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H",
          "version": "3.1"
        },
        "exploitabilityScore": 1.2,
        "impactScore": 5.9,
        "source": "nvd@nist.gov",
        "type": "Primary"
      }
    ]
  },
  "published": "2023-06-14T23:15:11.107",
  "references": [
    {
      "source": "security-advisories@github.com",
      "tags": [
        "Patch",
        "Vendor Advisory"
      ],
      "url": "https://github.com/getgrav/grav/commit/8c2c1cb72611a399f13423fc6d0e1d998c03e5c8"
    },
    {
      "source": "security-advisories@github.com",
      "tags": [
        "Vendor Advisory"
      ],
      "url": "https://github.com/getgrav/grav/security/advisories/GHSA-whr7-m3f8-mpm8"
    },
    {
      "source": "security-advisories@github.com",
      "tags": [
        "Vendor Advisory"
      ],
      "url": "https://github.com/twigphp/Twig/blob/v1.44.7/src/Environment.php#L148"
    },
    {
      "source": "security-advisories@github.com",
      "tags": [
        "Exploit",
        "Patch",
        "Third Party Advisory"
      ],
      "url": "https://huntr.dev/bounties/3ef640e6-9e25-4ecb-8ec1-64311d63fe66/"
    },
    {
      "source": "security-advisories@github.com",
      "tags": [
        "Exploit",
        "Mitigation",
        "Vendor Advisory"
      ],
      "url": "https://www.github.com/getgrav/grav/commit/9d6a2dba09fd4e56f5cdfb9a399caea355bfeb83"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "tags": [
        "Patch",
        "Vendor Advisory"
      ],
      "url": "https://github.com/getgrav/grav/commit/8c2c1cb72611a399f13423fc6d0e1d998c03e5c8"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "tags": [
        "Vendor Advisory"
      ],
      "url": "https://github.com/getgrav/grav/security/advisories/GHSA-whr7-m3f8-mpm8"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "tags": [
        "Vendor Advisory"
      ],
      "url": "https://github.com/twigphp/Twig/blob/v1.44.7/src/Environment.php#L148"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "tags": [
        "Exploit",
        "Patch",
        "Third Party Advisory"
      ],
      "url": "https://huntr.dev/bounties/3ef640e6-9e25-4ecb-8ec1-64311d63fe66/"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "tags": [
        "Exploit",
        "Mitigation",
        "Vendor Advisory"
      ],
      "url": "https://www.github.com/getgrav/grav/commit/9d6a2dba09fd4e56f5cdfb9a399caea355bfeb83"
    }
  ],
  "sourceIdentifier": "security-advisories@github.com",
  "vulnStatus": "Modified",
  "weaknesses": [
    {
      "description": [
        {
          "lang": "en",
          "value": "CWE-20"
        },
        {
          "lang": "en",
          "value": "CWE-1336"
        }
      ],
      "source": "security-advisories@github.com",
      "type": "Secondary"
    },
    {
      "description": [
        {
          "lang": "en",
          "value": "CWE-94"
        }
      ],
      "source": "nvd@nist.gov",
      "type": "Primary"
    }
  ]
}

gsd-2023-34448

Vulnerability from gsd

Modified

2023-12-13 01:20

Details

Aliases

CVE-2023-34448

Aliases

CVE-2023-34448

JSON

To clipboard

{
  "GSD": {
    "alias": "CVE-2023-34448",
    "id": "GSD-2023-34448"
  },
  "gsd": {
    "metadata": {
      "exploitCode": "unknown",
      "remediation": "unknown",
      "reportConfidence": "confirmed",
      "type": "vulnerability"
    },
    "osvSchema": {
      "aliases": [
        "CVE-2023-34448"
      ],
      "details": "Grav is a flat-file content management system. Prior to version 1.7.42, the patch for CVE-2022-2073, a server-side template injection vulnerability in Grav leveraging the default `filter()` function, did not block other built-in functions exposed by Twig\u0027s Core Extension that could be used to invoke arbitrary unsafe functions, thereby allowing for remote code execution. A patch in version 1.74.2 overrides the built-in Twig `map()` and `reduce()` filter functions in `system/src/Grav/Common/Twig/Extension/GravExtension.php` to validate the argument passed to the filter in `$arrow`.",
      "id": "GSD-2023-34448",
      "modified": "2023-12-13T01:20:30.995560Z",
      "schema_version": "1.4.0"
    }
  },
  "namespaces": {
    "cve.org": {
      "CVE_data_meta": {
        "ASSIGNER": "security-advisories@github.com",
        "ID": "CVE-2023-34448",
        "STATE": "PUBLIC"
      },
      "affects": {
        "vendor": {
          "vendor_data": [
            {
              "product": {
                "product_data": [
                  {
                    "product_name": "grav",
                    "version": {
                      "version_data": [
                        {
                          "version_affected": "=",
                          "version_value": "\u003c 1.7.42"
                        }
                      ]
                    }
                  }
                ]
              },
              "vendor_name": "getgrav"
            }
          ]
        }
      },
      "data_format": "MITRE",
      "data_type": "CVE",
      "data_version": "4.0",
      "description": {
        "description_data": [
          {
            "lang": "eng",
            "value": "Grav is a flat-file content management system. Prior to version 1.7.42, the patch for CVE-2022-2073, a server-side template injection vulnerability in Grav leveraging the default `filter()` function, did not block other built-in functions exposed by Twig\u0027s Core Extension that could be used to invoke arbitrary unsafe functions, thereby allowing for remote code execution. A patch in version 1.74.2 overrides the built-in Twig `map()` and `reduce()` filter functions in `system/src/Grav/Common/Twig/Extension/GravExtension.php` to validate the argument passed to the filter in `$arrow`."
          }
        ]
      },
      "impact": {
        "cvss": [
          {
            "attackComplexity": "LOW",
            "attackVector": "NETWORK",
            "availabilityImpact": "HIGH",
            "baseScore": 8.8,
            "baseSeverity": "HIGH",
            "confidentialityImpact": "HIGH",
            "integrityImpact": "HIGH",
            "privilegesRequired": "LOW",
            "scope": "UNCHANGED",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
            "version": "3.1"
          }
        ]
      },
      "problemtype": {
        "problemtype_data": [
          {
            "description": [
              {
                "cweId": "CWE-20",
                "lang": "eng",
                "value": "CWE-20: Improper Input Validation"
              }
            ]
          },
          {
            "description": [
              {
                "cweId": "CWE-1336",
                "lang": "eng",
                "value": "CWE-1336: Improper Neutralization of Special Elements Used in a Template Engine"
              }
            ]
          }
        ]
      },
      "references": {
        "reference_data": [
          {
            "name": "https://github.com/getgrav/grav/security/advisories/GHSA-whr7-m3f8-mpm8",
            "refsource": "MISC",
            "url": "https://github.com/getgrav/grav/security/advisories/GHSA-whr7-m3f8-mpm8"
          },
          {
            "name": "https://github.com/getgrav/grav/commit/8c2c1cb72611a399f13423fc6d0e1d998c03e5c8",
            "refsource": "MISC",
            "url": "https://github.com/getgrav/grav/commit/8c2c1cb72611a399f13423fc6d0e1d998c03e5c8"
          },
          {
            "name": "https://github.com/twigphp/Twig/blob/v1.44.7/src/Environment.php#L148",
            "refsource": "MISC",
            "url": "https://github.com/twigphp/Twig/blob/v1.44.7/src/Environment.php#L148"
          },
          {
            "name": "https://huntr.dev/bounties/3ef640e6-9e25-4ecb-8ec1-64311d63fe66/",
            "refsource": "MISC",
            "url": "https://huntr.dev/bounties/3ef640e6-9e25-4ecb-8ec1-64311d63fe66/"
          },
          {
            "name": "https://www.github.com/getgrav/grav/commit/9d6a2dba09fd4e56f5cdfb9a399caea355bfeb83",
            "refsource": "MISC",
            "url": "https://www.github.com/getgrav/grav/commit/9d6a2dba09fd4e56f5cdfb9a399caea355bfeb83"
          }
        ]
      },
      "source": {
        "advisory": "GHSA-whr7-m3f8-mpm8",
        "discovery": "UNKNOWN"
      }
    },
    "gitlab.com": {
      "advisories": [
        {
          "affected_range": "\u003c1.7.42",
          "affected_versions": "All versions before 1.7.42",
          "cvss_v3": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H",
          "cwe_ids": [
            "CWE-1035",
            "CWE-78",
            "CWE-937",
            "CWE-94"
          ],
          "date": "2023-06-16",
          "description": "Grav is a flat-file content management system. Prior to version 1.7.42, the patch for CVE-2022-2073, a server-side template injection vulnerability in Grav leveraging the default `filter()` function, does not block other built-in functions exposed by Twig\u0027s Core Extension that could be used to invoke arbitrary unsafe functions, thereby allowing for remote code execution. A patch in version 1.74.2 overrides the built-in Twig `map()` and `reduce()` filter functions in `system/src/Grav/Common/Twig/Extension/GravExtension.php` to validate the argument passed to the filter in `$arrow`.",
          "fixed_versions": [
            "1.7.42"
          ],
          "identifier": "CVE-2023-34448",
          "identifiers": [
            "GHSA-whr7-m3f8-mpm8",
            "CVE-2023-34448"
          ],
          "not_impacted": "All versions starting from 1.7.42",
          "package_slug": "packagist/getgrav/grav",
          "pubdate": "2023-06-16",
          "solution": "Upgrade to version 1.7.42 or above.",
          "title": "Improper Control of Generation of Code (\u0027Code Injection\u0027)",
          "urls": [
            "https://github.com/getgrav/grav/security/advisories/GHSA-whr7-m3f8-mpm8",
            "https://nvd.nist.gov/vuln/detail/CVE-2023-34448",
            "https://github.com/getgrav/grav/commit/244758d4383034fe4cd292d41e477177870b65ec",
            "https://github.com/getgrav/grav/commit/71bbed12f950de8335006d7f91112263d8504f1b",
            "https://github.com/getgrav/grav/commit/8c2c1cb72611a399f13423fc6d0e1d998c03e5c8",
            "https://github.com/getgrav/grav/commit/9d01140a63c77075ef09b26ef57cf186138151a5",
            "https://github.com/twigphp/Twig/blob/v1.44.7/src/Environment.php#L148",
            "https://huntr.dev/bounties/3ef640e6-9e25-4ecb-8ec1-64311d63fe66/",
            "https://www.github.com/getgrav/grav/commit/9d6a2dba09fd4e56f5cdfb9a399caea355bfeb83",
            "https://github.com/advisories/GHSA-whr7-m3f8-mpm8"
          ],
          "uuid": "db925c4a-3da4-4441-90d9-ad3727692b6e"
        }
      ]
    },
    "nvd.nist.gov": {
      "configurations": {
        "CVE_data_version": "4.0",
        "nodes": [
          {
            "children": [],
            "cpe_match": [
              {
                "cpe23Uri": "cpe:2.3:a:getgrav:grav:*:*:*:*:*:*:*:*",
                "cpe_name": [],
                "versionEndExcluding": "1.7.42",
                "vulnerable": true
              }
            ],
            "operator": "OR"
          }
        ]
      },
      "cve": {
        "CVE_data_meta": {
          "ASSIGNER": "security-advisories@github.com",
          "ID": "CVE-2023-34448"
        },
        "data_format": "MITRE",
        "data_type": "CVE",
        "data_version": "4.0",
        "description": {
          "description_data": [
            {
              "lang": "en",
              "value": "Grav is a flat-file content management system. Prior to version 1.7.42, the patch for CVE-2022-2073, a server-side template injection vulnerability in Grav leveraging the default `filter()` function, did not block other built-in functions exposed by Twig\u0027s Core Extension that could be used to invoke arbitrary unsafe functions, thereby allowing for remote code execution. A patch in version 1.74.2 overrides the built-in Twig `map()` and `reduce()` filter functions in `system/src/Grav/Common/Twig/Extension/GravExtension.php` to validate the argument passed to the filter in `$arrow`."
            }
          ]
        },
        "problemtype": {
          "problemtype_data": [
            {
              "description": [
                {
                  "lang": "en",
                  "value": "CWE-94"
                }
              ]
            }
          ]
        },
        "references": {
          "reference_data": [
            {
              "name": "https://github.com/twigphp/Twig/blob/v1.44.7/src/Environment.php#L148",
              "refsource": "MISC",
              "tags": [
                "Vendor Advisory"
              ],
              "url": "https://github.com/twigphp/Twig/blob/v1.44.7/src/Environment.php#L148"
            },
            {
              "name": "https://github.com/getgrav/grav/security/advisories/GHSA-whr7-m3f8-mpm8",
              "refsource": "MISC",
              "tags": [
                "Vendor Advisory"
              ],
              "url": "https://github.com/getgrav/grav/security/advisories/GHSA-whr7-m3f8-mpm8"
            },
            {
              "name": "https://www.github.com/getgrav/grav/commit/9d6a2dba09fd4e56f5cdfb9a399caea355bfeb83",
              "refsource": "MISC",
              "tags": [
                "Exploit",
                "Mitigation",
                "Vendor Advisory"
              ],
              "url": "https://www.github.com/getgrav/grav/commit/9d6a2dba09fd4e56f5cdfb9a399caea355bfeb83"
            },
            {
              "name": "https://github.com/getgrav/grav/commit/8c2c1cb72611a399f13423fc6d0e1d998c03e5c8",
              "refsource": "MISC",
              "tags": [
                "Patch",
                "Vendor Advisory"
              ],
              "url": "https://github.com/getgrav/grav/commit/8c2c1cb72611a399f13423fc6d0e1d998c03e5c8"
            },
            {
              "name": "https://huntr.dev/bounties/3ef640e6-9e25-4ecb-8ec1-64311d63fe66/",
              "refsource": "MISC",
              "tags": [
                "Exploit",
                "Patch",
                "Third Party Advisory"
              ],
              "url": "https://huntr.dev/bounties/3ef640e6-9e25-4ecb-8ec1-64311d63fe66/"
            }
          ]
        }
      },
      "impact": {
        "baseMetricV3": {
          "cvssV3": {
            "attackComplexity": "LOW",
            "attackVector": "NETWORK",
            "availabilityImpact": "HIGH",
            "baseScore": 7.2,
            "baseSeverity": "HIGH",
            "confidentialityImpact": "HIGH",
            "integrityImpact": "HIGH",
            "privilegesRequired": "HIGH",
            "scope": "UNCHANGED",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H",
            "version": "3.1"
          },
          "exploitabilityScore": 1.2,
          "impactScore": 5.9
        }
      },
      "lastModifiedDate": "2023-06-22T16:31Z",
      "publishedDate": "2023-06-14T23:15Z"
    }
  }
}

ghsa-whr7-m3f8-mpm8

Vulnerability from github

Published

2023-06-16 19:37

Modified

2023-06-16 19:37

Severity ?

7.2 (High) - CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H

Summary

Grav Server-side Template Injection (SSTI) via Twig Default Filters

Details

Hi,

actually we have sent the bug report to security@getgrav.org on 27th March 2023 and on 10th April 2023.

Grav Server-side Template Injection (SSTI) via Twig Default Filters

Summary:

| Product | Grav CMS | | ----------------------- | --------------------------------------------- | | Vendor | Grav | | Severity | High - Users with login access to Grav Admin panel and page creation/update permissions are able to obtain remote code/command execution | | Affected Versions | <= v1.7.40 (Commit 685d762) (Latest version as of writing) | | Tested Versions | v1.7.40 | | Internal Identifier | STAR-2023-0008 | | CVE Identifier | TBD | | CWE(s) | CWE-184: Incomplete List of Disallowed Inputs, CWE-1336: Improper Neutralization of Special Elements Used in a Template Engine |

CVSS3.1 Scoring System:

Base Score: 7.2 (High)
Vector String: CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H
| Metric | Value | | ---------------------------- | --------- | | Attack Vector (AV) | Network | | Attack Complexity (AC) | Low | | Privileges Required (PR) | High | | User Interaction (UI) | None | | Scope (S) | Unchanged | | Confidentiality (C) | High | | Integrity (I) | High | | Availability (A) | High |

Product Overview:

Grav is a PHP-based flat-file content management system (CMS) designed to provide a fast and simple way to build websites. It supports rendering of web pages written in Markdown and Twig expressions, and provides an administration panel to manage the entire website via an optional Admin plugin.

Vulnerability Summary:

The patch for CVE-2022-2073, a server-side template injection vulnerability in Grav leveraging the default filter() function, did not block other built-in functions exposed by Twig's Core Extension that could be used to invoke arbitrary unsafe functions, thereby allowing for remote code execution.

Vulnerability Details:

Twig comes with an extension known as the Core Extension that is enabled by default when initialising a new Twig environment. Twig's Core Extension provides multiple built-in filters, such as the filter() function, which can be used in Twig templates.

CVE-2022-2073 leverages the default filter() filter function in Twig to invoke arbitrary unsafe functions. This was patched by overriding the default filter() filter function in commit 9d6a2d of Grav v1.7.34 to perform validation checks on the arguments passed to filter(): ~~~diff php ... class GravExtension extends AbstractExtension implements GlobalsInterface { ... public function getFilters(): array { return [ ... // Security fix + new TwigFilter('filter', [$this, 'filterFilter'], ['needs_environment' => true]), ]; }

...

/**
- @param Environment $env
- @param array $array
- @param callable|string $arrow
- @return array|CallbackFilterIterator
- @throws RuntimeError
*/
function filterFilter(Environment $env, $array, $arrow)
{
if (is_string($arrow) && Utils::isDangerousFunction($arrow)) {
throw new RuntimeError('Twig |filter("' . $arrow . '") is not allowed.');
} +
return \twig_array_filter($env, $array, $arrow);
} } ~~~

However, looking at the source code of /src/Extension/CoreExtension.php of Twig, alternative default Twig filters could also be used invoke arbitrary functions: ~~~php ... class CoreExtension extends AbstractExtension { ... public function getFilters(): array { return [ ... // array helpers ... new TwigFilter('filter', 'twig_array_filter', ['needs_environment' => true]), // unsafe new TwigFilter('map', 'twig_array_map', ['needs_environment' => true]), // unsafe new TwigFilter('reduce', 'twig_array_reduce', ['needs_environment' => true]), // unsafe ]; } ~~~

The three filter functions above respectively call array_filter(), array_map() and array_reduce(). Since only filter() is being overriden by Grav to ensure that the callable passed to filter() does not result in the invocation of an unsafe function, the other two functions (i.e. map() and reduce()) could be used by an authenticated attacker that is able to inject and render malicious templates to gain remote code execution.

Exploit Conditions:

This vulnerability can be exploited if the attacker has access to: 1. an administrator account, or 2. a non-administrator, user account that are granted the following permissions: - login access to Grav admin panel, and - page creation or update rights

Reproduction Steps:

Log in to Grav Admin using an administrator account.
Navigate to Accounts > Add, and ensure that the following permissions are assigned when creating a new low-privileged user:
- Login to Admin - Allowed
- Page Update - Allowed
Log out of Grav Admin, and log back in using the account created in step 2.
Navigate to http://<grav_installation>/admin/pages/home.
Click the Advanced tab and select the checkbox beside Twig to ensure that Twig processing is enabled for the modified webpage.
Under the Content tab, insert the following payload within the editor: ~~~twig {{ ['id'] | map('system') }} {{ ['id'] | reduce('system') }} ~~~
Click the Preview button. Observe that the output of the id shell command is returned in the preview.

Suggested Mitigations:

Override the built-in Twig map() and reduce() filter functions in system/src/Grav/Common/Twig/Extension/GravExtension.php to validate the argument passed to the filter in $arrow.

For example: ~~~diff ... class GravExtension extends AbstractExtension implements GlobalsInterface { ... public function getFilters(): array { return [ ... // Security fix new TwigFilter('filter', [$this, 'filterFilter'], ['needs_environment' => true]), + new TwigFilter('map', [$this, 'mapFilter'], ['needs_environment' => true]), + new TwigFilter('reduce', [$this, 'reduceFilter'], ['needs_environment' => true]), ]; }

...

/**
- @param Environment $env
- @param array $array
- @param callable|string $arrow
- @return array|CallbackFilterIterator
- @throws RuntimeError
*/
function mapFilter(Environment $env, $array, $arrow)
{
if (!$arrow instanceof Closure && !is_string($arrow) || Utils::isDangerousFunction($arrow)) {
throw new RuntimeError('Twig |map("' . $arrow . '") is not allowed.');
} +
return \twig_array_map($env, $array, $arrow);
}
/**
- @param Environment $env
- @param array $array
- @param callable|string $arrow
- @return array|CallbackFilterIterator
- @throws RuntimeError
*/
function reduceFilter(Environment $env, $array, $arrow)
{
if (!$arrow instanceof Closure && !is_string($arrow) || Utils::isDangerousFunction($arrow)) {
throw new RuntimeError('Twig |reduce("' . $arrow . '") is not allowed.');
} +
return \twig_array_reduce($env, $array, $arrow);
} } ~~~

Detection Guidance:

The following strategies may be used to detect potential exploitation attempts. 1. Searching within Markdown pages using the following shell command:
grep -Priz -e '\|\s*(map|reduce)\s*\(' /path/to/webroot/user/pages/ 2. Searching within Doctrine cache data using the following shell command:
grep -Priz -e '\|\s*(map|reduce)\s*\(' --include '*.doctrinecache.data' /path/to/webroot/cache/ 3. Searching within Twig cache using the following shell command:
grep -Priz -e 'twig_array_(map|reduce)' /path/to/webroot/cache/twig/ 4. Searching within compiled Twig template files using the following shell command:
grep -Priz -e '\|\s*(map|reduce)\s*\(' /path/to/webroot/cache/compiled/files/

Note that it is not possible to detect indicators of compromise reliably using the Grav log file (located at /path/to/webroot/logs/grav.log by default), as successful exploitation attempts do not generate any additional logs. However, it is worthwhile to examine any PHP errors or warnings logged to determine the existence of any failed exploitation attempts.

Credits:

Ngo Wei Lin (@Creastery) & Wang Hengyue (@w_hy_04) of STAR Labs SG Pte. Ltd. (@starlabs_sg)

Vulnerability Disclosure:

This vulnerability report is subject to a 120 day disclosure deadline as per STAR Labs SG Pte. Ltd.'s Vulnerability Disclosure Policy. After 120 days have elapsed, the vulnerability report will be published to the public by STAR Labs SG Pte. Ltd. (STAR Labs).

The scheduled disclosure date is 25th July, 2023. Disclosure at an earlier date is also possible if agreed upon by all parties.

Kindly note that STAR Labs reserved and assigned the following CVE identifiers to the respective vulnerabilities presented in this report:
1. CVE-2023-30596 Server-side Template Injection (SSTI) in getgrav/grav <= v1.7.40 allows Grav Admin users with page creation or update rights to bypass the dangerous functions denylist check in GravExtension.filterFilter() and to achieve remote code execution via Twig's default filters map() and reduce(). This is a bypass of CVE-2022-2073.

Show details on source website

JSON

To clipboard

{
  "affected": [
    {
      "package": {
        "ecosystem": "Packagist",
        "name": "getgrav/grav"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "1.7.42"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2023-34448"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-1336",
      "CWE-20"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2023-06-16T19:37:08Z",
    "nvd_published_at": "2023-06-14T23:15:11Z",
    "severity": "HIGH"
  },
  "details": "Hi,\n\nactually we have sent the bug report to [security@getgrav.org](mailto:security@getgrav.org) on 27th March 2023 and on 10th April 2023.\n\n# Grav Server-side Template Injection (SSTI) via Twig Default Filters\n\n## Summary:  \n| **Product**             | Grav CMS                                      |\n| ----------------------- | --------------------------------------------- |\n| **Vendor**              | Grav                                          |\n| **Severity**            | High - Users with login access to Grav Admin panel and page creation/update permissions are able to obtain remote code/command execution |\n| **Affected Versions**   | \u003c= [v1.7.40](https://github.com/getgrav/grav/tree/1.7.40) (Commit [685d762](https://github.com/getgrav/grav/commit/685d76231a057416651ed192a6a2e83720800e61)) (Latest version as of writing) |\n| **Tested Versions**     | v1.7.40                                       |\n| **Internal Identifier** | STAR-2023-0008                                |\n| **CVE Identifier**      | TBD                                           |\n| **CWE(s)**              | CWE-184: Incomplete List of Disallowed Inputs, CWE-1336: Improper Neutralization of Special Elements Used in a Template Engine |\n\n## CVSS3.1 Scoring System:  \n**Base Score:** 7.2 (High)  \n**Vector String:** `CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H`  \n| **Metric**                   | **Value** |\n| ---------------------------- | --------- |\n| **Attack Vector (AV)**       | Network   |\n| **Attack Complexity (AC)**   | Low       |\n| **Privileges Required (PR)** | High      |\n| **User Interaction (UI)**    | None      |\n| **Scope (S)**                | Unchanged |\n| **Confidentiality \\(C)**     | High      |\n| **Integrity (I)**            | High      |\n| **Availability (A)**         | High      |\n\n## Product Overview:  \nGrav is a PHP-based flat-file content management system (CMS) designed to provide a fast and simple way to build websites. It supports rendering of web pages written in Markdown and Twig expressions, and provides an administration panel to manage the entire website via an optional Admin plugin.\n\n## Vulnerability Summary:  \nThe patch for [CVE-2022-2073](https://huntr.dev/bounties/3ef640e6-9e25-4ecb-8ec1-64311d63fe66/), a server-side template injection vulnerability in Grav leveraging the default `filter()` function, did not block other built-in functions exposed by Twig\u0027s Core Extension that could be used to invoke arbitrary unsafe functions, thereby allowing for remote code execution.\n\n## Vulnerability Details:  \nTwig comes with an extension known as the [Core Extension](https://github.com/twigphp/Twig/blob/v1.44.7/src/Extension/CoreExtension.php) that is enabled by default when initialising a new [Twig environment](https://github.com/twigphp/Twig/blob/v1.44.7/src/Environment.php#L148). Twig\u0027s Core Extension provides multiple built-in filters, such as the `filter()` function, which can be used in Twig templates. \n\n[CVE-2022-2073](https://huntr.dev/bounties/3ef640e6-9e25-4ecb-8ec1-64311d63fe66/) leverages the default `filter()` filter function in Twig to invoke arbitrary unsafe functions. This was patched by overriding the default `filter()` filter function in commit [9d6a2d](https://www.github.com/getgrav/grav/commit/9d6a2dba09fd4e56f5cdfb9a399caea355bfeb83) of Grav v1.7.34 to perform validation checks on the arguments passed to `filter()`:\n~~~diff php\n...\nclass GravExtension extends AbstractExtension implements GlobalsInterface\n{\n    ...\n    public function getFilters(): array\n    {\n        return [\n            ...\n            // Security fix\n+           new TwigFilter(\u0027filter\u0027, [$this, \u0027filterFilter\u0027], [\u0027needs_environment\u0027 =\u003e true]),\n        ];\n    }\n    \n    ...\n\n+   /**\n+    * @param Environment $env\n+    * @param array $array\n+    * @param callable|string $arrow\n+    * @return array|CallbackFilterIterator\n+    * @throws RuntimeError\n+    */\n+   function filterFilter(Environment $env, $array, $arrow)\n+   {\n+       if (is_string($arrow) \u0026\u0026 Utils::isDangerousFunction($arrow)) {\n+           throw new RuntimeError(\u0027Twig |filter(\"\u0027 . $arrow . \u0027\") is not allowed.\u0027);\n+       }\n+\n+       return \\twig_array_filter($env, $array, $arrow);\n+   }\n}\n~~~\n\nHowever, looking at the source code of [/src/Extension/CoreExtension.php](https://github.com/twigphp/Twig/blob/v1.44.7/src/Extension/CoreExtension.php) of Twig, alternative default Twig filters could also be used invoke arbitrary functions:\n~~~php\n...\nclass CoreExtension extends AbstractExtension\n{\n    ...\n    public function getFilters(): array\n    {\n        return [\n            ...\n            // array helpers\n            ...\n            new TwigFilter(\u0027filter\u0027, \u0027twig_array_filter\u0027, [\u0027needs_environment\u0027 =\u003e true]), // unsafe\n            new TwigFilter(\u0027map\u0027, \u0027twig_array_map\u0027, [\u0027needs_environment\u0027 =\u003e true]), // unsafe\n            new TwigFilter(\u0027reduce\u0027, \u0027twig_array_reduce\u0027, [\u0027needs_environment\u0027 =\u003e true]), // unsafe\n        ];\n    }\n~~~\n\nThe three filter functions above respectively call `array_filter()`, `array_map()` and `array_reduce()`. Since only `filter()` is being overriden by Grav to ensure that the callable passed to `filter()` does not result in the invocation of an unsafe function, the other two functions (i.e. `map()` and `reduce()`) could be used by an authenticated attacker that is able to inject and render malicious templates to gain remote code execution.\n\n## Exploit Conditions:    \nThis vulnerability can be exploited if the attacker has access to:\n1. an administrator account, or\n2. a non-administrator, user account that are granted the following permissions:\n    - login access to Grav admin panel, and\n    - page creation or update rights\n\n## Reproduction Steps:  \n1. Log in to Grav Admin using an administrator account.\n2. Navigate to `Accounts \u003e Add`, and ensure that the following permissions are assigned when creating a new low-privileged user:\n    * Login to Admin - Allowed\n    * Page Update - Allowed\n2. Log out of Grav Admin, and log back in using the account created in step 2.\n3. Navigate to `http://\u003cgrav_installation\u003e/admin/pages/home`.\n4. Click the `Advanced` tab and select the checkbox beside `Twig` to ensure that Twig processing is enabled for the modified webpage.\n5. Under the `Content` tab, insert the following payload within the editor:\n   ~~~twig\n   {{ [\u0027id\u0027] | map(\u0027system\u0027) }}\n   {{ [\u0027id\u0027] | reduce(\u0027system\u0027) }}\n   ~~~\n4. Click the Preview button. Observe that the output of the `id` shell command is returned in the preview.\n\n## Suggested Mitigations:  \nOverride the built-in Twig `map()` and `reduce()` filter functions in `system/src/Grav/Common/Twig/Extension/GravExtension.php` to validate the argument passed to the filter in `$arrow`.\n\nFor example:\n~~~diff\n...\nclass GravExtension extends AbstractExtension implements GlobalsInterface\n{\n    ...\n    public function getFilters(): array\n    {\n        return [\n            ...\n            // Security fix\n            new TwigFilter(\u0027filter\u0027, [$this, \u0027filterFilter\u0027], [\u0027needs_environment\u0027 =\u003e true]),\n+           new TwigFilter(\u0027map\u0027, [$this, \u0027mapFilter\u0027], [\u0027needs_environment\u0027 =\u003e true]),\n+           new TwigFilter(\u0027reduce\u0027, [$this, \u0027reduceFilter\u0027], [\u0027needs_environment\u0027 =\u003e true]),\n        ];\n    }\n\n    ...\n+   /**\n+    * @param Environment $env\n+    * @param array $array\n+    * @param callable|string $arrow\n+    * @return array|CallbackFilterIterator\n+    * @throws RuntimeError\n+    */\n+   function mapFilter(Environment $env, $array, $arrow)\n+   {\n+       if (!$arrow instanceof Closure \u0026\u0026 !is_string($arrow) || Utils::isDangerousFunction($arrow)) {\n+           throw new RuntimeError(\u0027Twig |map(\"\u0027 . $arrow . \u0027\") is not allowed.\u0027);\n+       }\n+\n+       return \\twig_array_map($env, $array, $arrow);\n+   }\n+ \n+   /**\n+    * @param Environment $env\n+    * @param array $array\n+    * @param callable|string $arrow\n+    * @return array|CallbackFilterIterator\n+    * @throws RuntimeError\n+    */\n+   function reduceFilter(Environment $env, $array, $arrow)\n+   {\n+       if (!$arrow instanceof Closure \u0026\u0026 !is_string($arrow) || Utils::isDangerousFunction($arrow)) {\n+           throw new RuntimeError(\u0027Twig |reduce(\"\u0027 . $arrow . \u0027\") is not allowed.\u0027);\n+       }\n+\n+       return \\twig_array_reduce($env, $array, $arrow);\n+   }\n}\n~~~\n\n## Detection Guidance:  \nThe following strategies may be used to detect potential exploitation attempts.\n1. Searching within Markdown pages using the following shell command:  \n   `grep -Priz -e \u0027\\|\\s*(map|reduce)\\s*\\(\u0027 /path/to/webroot/user/pages/`\n2. Searching within Doctrine cache data using the following shell command:  \n   `grep -Priz -e \u0027\\|\\s*(map|reduce)\\s*\\(\u0027  --include \u0027*.doctrinecache.data\u0027 /path/to/webroot/cache/`\n3. Searching within Twig cache using the following shell command:  \n   `grep -Priz -e \u0027twig_array_(map|reduce)\u0027 /path/to/webroot/cache/twig/`\n4. Searching within compiled Twig template files using the following shell command:  \n   `grep -Priz -e \u0027\\|\\s*(map|reduce)\\s*\\(\u0027 /path/to/webroot/cache/compiled/files/`\n\nNote that it is not possible to detect indicators of compromise reliably using the Grav log file (located at `/path/to/webroot/logs/grav.log` by default), as successful exploitation attempts do not generate any additional logs. However, it is worthwhile to examine any PHP errors or warnings logged to determine the existence of any failed exploitation attempts.\n\n## Credits:  \nNgo Wei Lin ([@Creastery](https://twitter.com/Creastery)) \u0026 Wang Hengyue ([@w_hy_04](https://twitter.com/w_hy_04)) of STAR Labs SG Pte. Ltd. ([@starlabs_sg](https://twitter.com/starlabs_sg))\n\n## Vulnerability Disclosure:  \nThis vulnerability report is subject to a 120 day disclosure deadline as per [STAR Labs SG Pte. Ltd.\u0027s Vulnerability Disclosure Policy](https://starlabs.sg/advisories/STAR%20Labs%20SG%20Pte.%20Ltd.%20Vulnerability%20Disclosure%20Policy.pdf). After 120 days have elapsed, the vulnerability report will be published to the public by [STAR Labs SG Pte. Ltd.](https://starlabs.sg/) (STAR Labs).  \n\nThe scheduled disclosure date is _**25th July, 2023**_. Disclosure at an earlier date is also possible if agreed upon by all parties.  \n\nKindly note that STAR Labs reserved and assigned the following CVE identifiers to the respective vulnerabilities presented in this report:  \n1. **CVE-2023-30596**\n    Server-side Template Injection (SSTI) in getgrav/grav \u003c= v1.7.40 allows Grav Admin users with page creation or update rights to bypass the dangerous functions denylist check in `GravExtension.filterFilter()` and to achieve remote code execution via Twig\u0027s default filters `map()` and `reduce()`. This is a bypass of CVE-2022-2073.\n",
  "id": "GHSA-whr7-m3f8-mpm8",
  "modified": "2023-06-16T19:37:08Z",
  "published": "2023-06-16T19:37:08Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/getgrav/grav/security/advisories/GHSA-whr7-m3f8-mpm8"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-34448"
    },
    {
      "type": "WEB",
      "url": "https://github.com/getgrav/grav/commit/244758d4383034fe4cd292d41e477177870b65ec"
    },
    {
      "type": "WEB",
      "url": "https://github.com/getgrav/grav/commit/71bbed12f950de8335006d7f91112263d8504f1b"
    },
    {
      "type": "WEB",
      "url": "https://github.com/getgrav/grav/commit/8c2c1cb72611a399f13423fc6d0e1d998c03e5c8"
    },
    {
      "type": "WEB",
      "url": "https://github.com/getgrav/grav/commit/9d01140a63c77075ef09b26ef57cf186138151a5"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/getgrav/grav"
    },
    {
      "type": "WEB",
      "url": "https://github.com/twigphp/Twig/blob/v1.44.7/src/Environment.php#L148"
    },
    {
      "type": "WEB",
      "url": "https://huntr.dev/bounties/3ef640e6-9e25-4ecb-8ec1-64311d63fe66"
    },
    {
      "type": "WEB",
      "url": "https://www.github.com/getgrav/grav/commit/9d6a2dba09fd4e56f5cdfb9a399caea355bfeb83"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ],
  "summary": "Grav Server-side Template Injection (SSTI) via Twig Default Filters"
}

Sightings

Author	Source	Type	Date

Nomenclature

Seen: The vulnerability was mentioned, discussed, or seen somewhere by the user.
Confirmed: The vulnerability is confirmed from an analyst perspective.
Exploited: This vulnerability was exploited and seen by the user reporting the sighting.
Patched: This vulnerability was successfully patched by the user reporting the sighting.
Not exploited: This vulnerability was not exploited or seen by the user reporting the sighting.
Not confirmed: The user expresses doubt about the veracity of the vulnerability.
Not patched: This vulnerability was not successfully patched by the user reporting the sighting.

Action not permitted

CVE-2023-34448 (GCVE-0-2023-34448)

Vulnerability from cvelistv5

fkie_cve-2023-34448

Vulnerability from fkie_nvd

gsd-2023-34448

Vulnerability from gsd

ghsa-whr7-m3f8-mpm8

Vulnerability from github

Grav Server-side Template Injection (SSTI) via Twig Default Filters

Summary:

CVSS3.1 Scoring System:

Product Overview:

Vulnerability Summary:

Vulnerability Details:

Exploit Conditions:

Reproduction Steps:

Suggested Mitigations:

Detection Guidance:

Credits:

Vulnerability Disclosure:

Tags

Sightings

Nomenclature