cvelistv5 - cve-2024-28116

CVE-2024-28116 (GCVE-0-2024-28116)

Vulnerability from cvelistv5

Published

2024-03-21 21:44

Modified

2024-08-02 00:48

Severity ?

8.8 (High) - CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

CWE

CWE-94 - Improper Control of Generation of Code ('Code Injection')
CWE-1336 - Improper Neutralization of Special Elements Used in a Template Engine

Summary

Grav is an open-source, flat-file content management system. Grav CMS prior to version 1.7.45 is vulnerable to a Server-Side Template Injection (SSTI), which allows any authenticated user (editor permissions are sufficient) to execute arbitrary code on the remote server bypassing the existing security sandbox. Version 1.7.45 contains a patch for this issue.

References

►

URL

Tags

security-advisories@github.com	https://github.com/getgrav/grav/commit/4149c81339274130742831422de2685f298f3a6e	Patch
security-advisories@github.com	https://github.com/getgrav/grav/security/advisories/GHSA-c9gp-64c4-2rrh	Exploit, Vendor Advisory
af854a3a-2127-422b-91ae-364da2661108	https://github.com/getgrav/grav/commit/4149c81339274130742831422de2685f298f3a6e	Patch
af854a3a-2127-422b-91ae-364da2661108	https://github.com/getgrav/grav/security/advisories/GHSA-c9gp-64c4-2rrh	Exploit, Vendor Advisory

Impacted products

	Vendor	Product	Version
	getgrav	grav	Version: < 1.7.45

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "affected": [
          {
            "cpes": [
              "cpe:2.3:a:getgrav:grav:*:*:*:*:*:*:*:*"
            ],
            "defaultStatus": "unknown",
            "product": "grav",
            "vendor": "getgrav",
            "versions": [
              {
                "lessThan": "1.7.45",
                "status": "affected",
                "version": "0",
                "versionType": "custom"
              }
            ]
          }
        ],
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2024-28116",
                "options": [
                  {
                    "Exploitation": "poc"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "total"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2024-08-01T20:55:43.128996Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2024-08-01T20:56:23.682Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      },
      {
        "providerMetadata": {
          "dateUpdated": "2024-08-02T00:48:49.256Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "name": "https://github.com/getgrav/grav/security/advisories/GHSA-c9gp-64c4-2rrh",
            "tags": [
              "x_refsource_CONFIRM",
              "x_transferred"
            ],
            "url": "https://github.com/getgrav/grav/security/advisories/GHSA-c9gp-64c4-2rrh"
          },
          {
            "name": "https://github.com/getgrav/grav/commit/4149c81339274130742831422de2685f298f3a6e",
            "tags": [
              "x_refsource_MISC",
              "x_transferred"
            ],
            "url": "https://github.com/getgrav/grav/commit/4149c81339274130742831422de2685f298f3a6e"
          }
        ],
        "title": "CVE Program Container"
      }
    ],
    "cna": {
      "affected": [
        {
          "product": "grav",
          "vendor": "getgrav",
          "versions": [
            {
              "status": "affected",
              "version": "\u003c 1.7.45"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "Grav is an open-source, flat-file content management system. Grav CMS prior to version 1.7.45 is vulnerable to a Server-Side Template Injection (SSTI), which allows any authenticated user (editor permissions are sufficient) to execute arbitrary code on the remote server bypassing the existing security sandbox. Version 1.7.45 contains a patch for this issue."
        }
      ],
      "metrics": [
        {
          "cvssV3_1": {
            "attackComplexity": "LOW",
            "attackVector": "NETWORK",
            "availabilityImpact": "HIGH",
            "baseScore": 8.8,
            "baseSeverity": "HIGH",
            "confidentialityImpact": "HIGH",
            "integrityImpact": "HIGH",
            "privilegesRequired": "LOW",
            "scope": "UNCHANGED",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
            "version": "3.1"
          }
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-94",
              "description": "CWE-94: Improper Control of Generation of Code (\u0027Code Injection\u0027)",
              "lang": "en",
              "type": "CWE"
            }
          ]
        },
        {
          "descriptions": [
            {
              "cweId": "CWE-1336",
              "description": "CWE-1336: Improper Neutralization of Special Elements Used in a Template Engine",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2024-03-21T21:44:29.489Z",
        "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
        "shortName": "GitHub_M"
      },
      "references": [
        {
          "name": "https://github.com/getgrav/grav/security/advisories/GHSA-c9gp-64c4-2rrh",
          "tags": [
            "x_refsource_CONFIRM"
          ],
          "url": "https://github.com/getgrav/grav/security/advisories/GHSA-c9gp-64c4-2rrh"
        },
        {
          "name": "https://github.com/getgrav/grav/commit/4149c81339274130742831422de2685f298f3a6e",
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://github.com/getgrav/grav/commit/4149c81339274130742831422de2685f298f3a6e"
        }
      ],
      "source": {
        "advisory": "GHSA-c9gp-64c4-2rrh",
        "discovery": "UNKNOWN"
      },
      "title": "Server-Side Template Injection (SSTI) with Grav CMS security sandbox bypass"
    }
  },
  "cveMetadata": {
    "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
    "assignerShortName": "GitHub_M",
    "cveId": "CVE-2024-28116",
    "datePublished": "2024-03-21T21:44:29.489Z",
    "dateReserved": "2024-03-04T14:19:14.060Z",
    "dateUpdated": "2024-08-02T00:48:49.256Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1",
  "vulnerability-lookup:meta": {
    "nvd": "{\"cve\":{\"id\":\"CVE-2024-28116\",\"sourceIdentifier\":\"security-advisories@github.com\",\"published\":\"2024-03-21T22:15:11.577\",\"lastModified\":\"2025-01-02T22:57:51.510\",\"vulnStatus\":\"Analyzed\",\"cveTags\":[],\"descriptions\":[{\"lang\":\"en\",\"value\":\"Grav is an open-source, flat-file content management system. Grav CMS prior to version 1.7.45 is vulnerable to a Server-Side Template Injection (SSTI), which allows any authenticated user (editor permissions are sufficient) to execute arbitrary code on the remote server bypassing the existing security sandbox. Version 1.7.45 contains a patch for this issue.\"},{\"lang\":\"es\",\"value\":\"Grav es un sistema de gesti\u00f3n de contenidos de archivos planos de c\u00f3digo abierto. Grav CMS anterior a la versi\u00f3n 1.7.45 es vulnerable a una inyecci\u00f3n de plantilla del lado del servidor (SSTI), que permite a cualquier usuario autenticado (los permisos del editor son suficientes) ejecutar c\u00f3digo arbitrario en el servidor remoto sin pasar por el entorno limitado de seguridad existente. La versi\u00f3n 1.7.45 contiene un parche para este problema.\"}],\"metrics\":{\"cvssMetricV31\":[{\"source\":\"security-advisories@github.com\",\"type\":\"Secondary\",\"cvssData\":{\"version\":\"3.1\",\"vectorString\":\"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H\",\"baseScore\":8.8,\"baseSeverity\":\"HIGH\",\"attackVector\":\"NETWORK\",\"attackComplexity\":\"LOW\",\"privilegesRequired\":\"LOW\",\"userInteraction\":\"NONE\",\"scope\":\"UNCHANGED\",\"confidentialityImpact\":\"HIGH\",\"integrityImpact\":\"HIGH\",\"availabilityImpact\":\"HIGH\"},\"exploitabilityScore\":2.8,\"impactScore\":5.9},{\"source\":\"nvd@nist.gov\",\"type\":\"Primary\",\"cvssData\":{\"version\":\"3.1\",\"vectorString\":\"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H\",\"baseScore\":8.8,\"baseSeverity\":\"HIGH\",\"attackVector\":\"NETWORK\",\"attackComplexity\":\"LOW\",\"privilegesRequired\":\"LOW\",\"userInteraction\":\"NONE\",\"scope\":\"UNCHANGED\",\"confidentialityImpact\":\"HIGH\",\"integrityImpact\":\"HIGH\",\"availabilityImpact\":\"HIGH\"},\"exploitabilityScore\":2.8,\"impactScore\":5.9}]},\"weaknesses\":[{\"source\":\"security-advisories@github.com\",\"type\":\"Secondary\",\"description\":[{\"lang\":\"en\",\"value\":\"CWE-94\"},{\"lang\":\"en\",\"value\":\"CWE-1336\"}]},{\"source\":\"nvd@nist.gov\",\"type\":\"Primary\",\"description\":[{\"lang\":\"en\",\"value\":\"CWE-94\"}]}],\"configurations\":[{\"nodes\":[{\"operator\":\"OR\",\"negate\":false,\"cpeMatch\":[{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:getgrav:grav:*:*:*:*:*:*:*:*\",\"versionEndExcluding\":\"1.7.45\",\"matchCriteriaId\":\"C9B96288-8090-4AF9-91EF-CBFCEB60039C\"}]}]}],\"references\":[{\"url\":\"https://github.com/getgrav/grav/commit/4149c81339274130742831422de2685f298f3a6e\",\"source\":\"security-advisories@github.com\",\"tags\":[\"Patch\"]},{\"url\":\"https://github.com/getgrav/grav/security/advisories/GHSA-c9gp-64c4-2rrh\",\"source\":\"security-advisories@github.com\",\"tags\":[\"Exploit\",\"Vendor Advisory\"]},{\"url\":\"https://github.com/getgrav/grav/commit/4149c81339274130742831422de2685f298f3a6e\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\",\"tags\":[\"Patch\"]},{\"url\":\"https://github.com/getgrav/grav/security/advisories/GHSA-c9gp-64c4-2rrh\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\",\"tags\":[\"Exploit\",\"Vendor Advisory\"]}]}}",
    "vulnrichment": {
      "containers": "{\"adp\": [{\"title\": \"CISA ADP Vulnrichment\", \"metrics\": [{\"other\": {\"type\": \"ssvc\", \"content\": {\"id\": \"CVE-2024-28116\", \"role\": \"CISA Coordinator\", \"options\": [{\"Exploitation\": \"poc\"}, {\"Automatable\": \"no\"}, {\"Technical Impact\": \"total\"}], \"version\": \"2.0.3\", \"timestamp\": \"2024-08-01T20:55:43.128996Z\"}}}], \"affected\": [{\"cpes\": [\"cpe:2.3:a:getgrav:grav:*:*:*:*:*:*:*:*\"], \"vendor\": \"getgrav\", \"product\": \"grav\", \"versions\": [{\"status\": \"affected\", \"version\": \"0\", \"lessThan\": \"1.7.45\", \"versionType\": \"custom\"}], \"defaultStatus\": \"unknown\"}], \"providerMetadata\": {\"orgId\": \"134c704f-9b21-4f2e-91b3-4a467353bcc0\", \"shortName\": \"CISA-ADP\", \"dateUpdated\": \"2024-08-01T20:56:19.279Z\"}}], \"cna\": {\"title\": \"Server-Side Template Injection (SSTI) with Grav CMS security sandbox bypass\", \"source\": {\"advisory\": \"GHSA-c9gp-64c4-2rrh\", \"discovery\": \"UNKNOWN\"}, \"metrics\": [{\"cvssV3_1\": {\"scope\": \"UNCHANGED\", \"version\": \"3.1\", \"baseScore\": 8.8, \"attackVector\": \"NETWORK\", \"baseSeverity\": \"HIGH\", \"vectorString\": \"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H\", \"integrityImpact\": \"HIGH\", \"userInteraction\": \"NONE\", \"attackComplexity\": \"LOW\", \"availabilityImpact\": \"HIGH\", \"privilegesRequired\": \"LOW\", \"confidentialityImpact\": \"HIGH\"}}], \"affected\": [{\"vendor\": \"getgrav\", \"product\": \"grav\", \"versions\": [{\"status\": \"affected\", \"version\": \"\u003c 1.7.45\"}]}], \"references\": [{\"url\": \"https://github.com/getgrav/grav/security/advisories/GHSA-c9gp-64c4-2rrh\", \"name\": \"https://github.com/getgrav/grav/security/advisories/GHSA-c9gp-64c4-2rrh\", \"tags\": [\"x_refsource_CONFIRM\"]}, {\"url\": \"https://github.com/getgrav/grav/commit/4149c81339274130742831422de2685f298f3a6e\", \"name\": \"https://github.com/getgrav/grav/commit/4149c81339274130742831422de2685f298f3a6e\", \"tags\": [\"x_refsource_MISC\"]}], \"descriptions\": [{\"lang\": \"en\", \"value\": \"Grav is an open-source, flat-file content management system. Grav CMS prior to version 1.7.45 is vulnerable to a Server-Side Template Injection (SSTI), which allows any authenticated user (editor permissions are sufficient) to execute arbitrary code on the remote server bypassing the existing security sandbox. Version 1.7.45 contains a patch for this issue.\"}], \"problemTypes\": [{\"descriptions\": [{\"lang\": \"en\", \"type\": \"CWE\", \"cweId\": \"CWE-94\", \"description\": \"CWE-94: Improper Control of Generation of Code (\u0027Code Injection\u0027)\"}]}, {\"descriptions\": [{\"lang\": \"en\", \"type\": \"CWE\", \"cweId\": \"CWE-1336\", \"description\": \"CWE-1336: Improper Neutralization of Special Elements Used in a Template Engine\"}]}], \"providerMetadata\": {\"orgId\": \"a0819718-46f1-4df5-94e2-005712e83aaa\", \"shortName\": \"GitHub_M\", \"dateUpdated\": \"2024-03-21T21:44:29.489Z\"}}}",
      "cveMetadata": "{\"cveId\": \"CVE-2024-28116\", \"state\": \"PUBLISHED\", \"dateUpdated\": \"2024-08-01T20:56:23.682Z\", \"dateReserved\": \"2024-03-04T14:19:14.060Z\", \"assignerOrgId\": \"a0819718-46f1-4df5-94e2-005712e83aaa\", \"datePublished\": \"2024-03-21T21:44:29.489Z\", \"assignerShortName\": \"GitHub_M\"}",
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }
  }
}

gsd-2024-28116

Vulnerability from gsd

Modified

2024-03-05 06:02

Details

Aliases

CVE-2024-28116

JSON

To clipboard

{
  "gsd": {
    "metadata": {
      "exploitCode": "unknown",
      "remediation": "unknown",
      "reportConfidence": "confirmed",
      "type": "vulnerability"
    },
    "osvSchema": {
      "aliases": [
        "CVE-2024-28116"
      ],
      "details": "Grav is an open-source, flat-file content management system. Grav CMS prior to version 1.7.45 is vulnerable to a Server-Side Template Injection (SSTI), which allows any authenticated user (editor permissions are sufficient) to execute arbitrary code on the remote server bypassing the existing security sandbox. Version 1.7.45 contains a patch for this issue.",
      "id": "GSD-2024-28116",
      "modified": "2024-03-05T06:02:29.192417Z",
      "schema_version": "1.4.0"
    }
  },
  "namespaces": {
    "cve.org": {
      "CVE_data_meta": {
        "ASSIGNER": "security-advisories@github.com",
        "ID": "CVE-2024-28116",
        "STATE": "PUBLIC"
      },
      "affects": {
        "vendor": {
          "vendor_data": [
            {
              "product": {
                "product_data": [
                  {
                    "product_name": "grav",
                    "version": {
                      "version_data": [
                        {
                          "version_affected": "=",
                          "version_value": "\u003c 1.7.45"
                        }
                      ]
                    }
                  }
                ]
              },
              "vendor_name": "getgrav"
            }
          ]
        }
      },
      "data_format": "MITRE",
      "data_type": "CVE",
      "data_version": "4.0",
      "description": {
        "description_data": [
          {
            "lang": "eng",
            "value": "Grav is an open-source, flat-file content management system. Grav CMS prior to version 1.7.45 is vulnerable to a Server-Side Template Injection (SSTI), which allows any authenticated user (editor permissions are sufficient) to execute arbitrary code on the remote server bypassing the existing security sandbox. Version 1.7.45 contains a patch for this issue."
          }
        ]
      },
      "impact": {
        "cvss": [
          {
            "attackComplexity": "LOW",
            "attackVector": "NETWORK",
            "availabilityImpact": "HIGH",
            "baseScore": 8.8,
            "baseSeverity": "HIGH",
            "confidentialityImpact": "HIGH",
            "integrityImpact": "HIGH",
            "privilegesRequired": "LOW",
            "scope": "UNCHANGED",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
            "version": "3.1"
          }
        ]
      },
      "problemtype": {
        "problemtype_data": [
          {
            "description": [
              {
                "cweId": "CWE-94",
                "lang": "eng",
                "value": "CWE-94: Improper Control of Generation of Code (\u0027Code Injection\u0027)"
              }
            ]
          },
          {
            "description": [
              {
                "cweId": "CWE-1336",
                "lang": "eng",
                "value": "CWE-1336: Improper Neutralization of Special Elements Used in a Template Engine"
              }
            ]
          }
        ]
      },
      "references": {
        "reference_data": [
          {
            "name": "https://github.com/getgrav/grav/security/advisories/GHSA-c9gp-64c4-2rrh",
            "refsource": "MISC",
            "url": "https://github.com/getgrav/grav/security/advisories/GHSA-c9gp-64c4-2rrh"
          },
          {
            "name": "https://github.com/getgrav/grav/commit/4149c81339274130742831422de2685f298f3a6e",
            "refsource": "MISC",
            "url": "https://github.com/getgrav/grav/commit/4149c81339274130742831422de2685f298f3a6e"
          }
        ]
      },
      "source": {
        "advisory": "GHSA-c9gp-64c4-2rrh",
        "discovery": "UNKNOWN"
      }
    },
    "nvd.nist.gov": {
      "cve": {
        "descriptions": [
          {
            "lang": "en",
            "value": "Grav is an open-source, flat-file content management system. Grav CMS prior to version 1.7.45 is vulnerable to a Server-Side Template Injection (SSTI), which allows any authenticated user (editor permissions are sufficient) to execute arbitrary code on the remote server bypassing the existing security sandbox. Version 1.7.45 contains a patch for this issue."
          },
          {
            "lang": "es",
            "value": "Grav es un sistema de gesti\u00f3n de contenidos de archivos planos de c\u00f3digo abierto. Grav CMS anterior a la versi\u00f3n 1.7.45 es vulnerable a una inyecci\u00f3n de plantilla del lado del servidor (SSTI), que permite a cualquier usuario autenticado (los permisos del editor son suficientes) ejecutar c\u00f3digo arbitrario en el servidor remoto sin pasar por el entorno limitado de seguridad existente. La versi\u00f3n 1.7.45 contiene un parche para este problema."
          }
        ],
        "id": "CVE-2024-28116",
        "lastModified": "2024-03-22T12:45:36.130",
        "metrics": {
          "cvssMetricV31": [
            {
              "cvssData": {
                "attackComplexity": "LOW",
                "attackVector": "NETWORK",
                "availabilityImpact": "HIGH",
                "baseScore": 8.8,
                "baseSeverity": "HIGH",
                "confidentialityImpact": "HIGH",
                "integrityImpact": "HIGH",
                "privilegesRequired": "LOW",
                "scope": "UNCHANGED",
                "userInteraction": "NONE",
                "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
                "version": "3.1"
              },
              "exploitabilityScore": 2.8,
              "impactScore": 5.9,
              "source": "security-advisories@github.com",
              "type": "Secondary"
            }
          ]
        },
        "published": "2024-03-21T22:15:11.577",
        "references": [
          {
            "source": "security-advisories@github.com",
            "url": "https://github.com/getgrav/grav/commit/4149c81339274130742831422de2685f298f3a6e"
          },
          {
            "source": "security-advisories@github.com",
            "url": "https://github.com/getgrav/grav/security/advisories/GHSA-c9gp-64c4-2rrh"
          }
        ],
        "sourceIdentifier": "security-advisories@github.com",
        "vulnStatus": "Awaiting Analysis",
        "weaknesses": [
          {
            "description": [
              {
                "lang": "en",
                "value": "CWE-1336"
              },
              {
                "lang": "en",
                "value": "CWE-94"
              }
            ],
            "source": "security-advisories@github.com",
            "type": "Secondary"
          }
        ]
      }
    }
  }
}

ghsa-c9gp-64c4-2rrh

Vulnerability from github

Published

2024-03-22 16:30

Modified

2024-03-22 16:30

Severity ?

8.8 (High) - CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Summary

Server-Side Template Injection (SSTI) with Grav CMS security sandbox bypass

Details

Summary

Grav CMS is vulnerable to a Server-Side Template Injection (SSTI), which allows any authenticated user (editor permissions are sufficient) to execute arbitrary code on the remote server bypassing the existing security sandbox.

Details

The Grav CMS implements a custom sandbox to protect the powerful Twig methods "registerUndefinedFunctionCallback()" and "registerUndefinedFilterCallback()", in order to avoid SSTI attacks by denying the calling of dangerous PHP functions into the Twig template directives (such as: "exec()", "passthru()", "system()", etc.). The current defenses are based on a blacklist of prohibited functions (PHP, Twig), checked through the "isDangerousFunction()" method called in the file "system/src/Grav/Common/Twig.php":

```php ... $this->twig = new TwigEnvironment($loader_chain, $params);

$this->twig->registerUndefinedFunctionCallback(function (string $name) use ($config) { $allowed = $config->get('system.twig.safe_functions'); if (is_array($allowed) && in_array($name, $allowed, true) && function_exists($name)) { return new TwigFunction($name, $name); } if ($config->get('system.twig.undefined_functions')) { if (function_exists($name)) { if (!Utils::isDangerousFunction($name)) { user_error("PHP function {$name}() was used as Twig function. This is deprecated in Grav 1.7. Please add it to system configuration: system.twig.safe_functions", E_USER_DEPRECATED);

            return new TwigFunction($name, $name);
        }

       /** @var Debugger $debugger */
       $debugger = $this->grav['debugger'];
       $debugger->addException(new RuntimeException("Blocked potentially dangerous PHP function {$name}() being used as Twig function. If you really want to use it, please add it to system configuration: `system.twig.safe_functions`"));
    }

    return new TwigFunction($name, static function () {});
}

return false;

});

$this->twig->registerUndefinedFilterCallback(function (string $name) use ($config) { $allowed = $config->get('system.twig.safe_filters'); if (is_array($allowed) && in_array($name, $allowed, true) && function_exists($name)) { return new TwigFilter($name, $name); } if ($config->get('system.twig.undefined_filters')) { if (function_exists($name)) { if (!Utils::isDangerousFunction($name)) { user_error("PHP function {$name}() used as Twig filter. This is deprecated in Grav 1.7. Please add it to system configuration: system.twig.safe_filters", E_USER_DEPRECATED); return new TwigFilter($name, $name); } ... ``` In the code above it can be seen that the calls of the "isDangerousFunction()" are not performed when the method/filter in the "$name" variable has been considered safe. A function can be defined safe only by an administrator user, by adding it into the configuration properties "system.twig.safe_functions" and/or "system.twig.safe_filters" (a sort of whitelists that by default are empty) of the configuration file "system/config/system.yaml".

It is to note that within the "system/src/Grav/Common/Twig.php" file a Twig class is defined (with its constructor, methods and attributes) and in particular the Twig object (and environment) is instantiated on it: ```php / * Class Twig * @package Grav\Common\Twig */ class Twig { / @var Environment / public $twig; / @var array / public $twig_vars = []; / @var array */ public $twig_paths; / @var string / public $template; ... / * Constructor * * @param Grav $grav / public function __construct(Grav $grav) { $this->grav = $grav; $this->twig_paths = []; }

/**
 * Twig initialization that sets the twig loader chain, then the environment, then extensions
 * and also the base set of twig vars
 *
 * @return $this
 */
public function init()
{
    if (null === $this->twig) {
        /** @var Config $config */
        $config = $this->grav['config'];

... ``` Since the security sandbox does not protect the Twig object it is possible to interact with it (e.g. call its methods, read/write its attributes) through opportunely crafted Twig template directives injected on a web page. Then an authenticated editor user could be able to add arbitrary functions into the Twig attributes "system.twig.safe_functions" and "system.twig.safe_filters" in order to circumvent the Grav CMS sandbox.

PoC

An authenticated user with the permissions to edit a page (having Twig processing enabled) on the Grav CMS admin console, could create/edit a web page containing a malicious template directive to execute arbitrary OS commands on the remote web server. For instance, in order to abuse the vulnerability and execute the prohibited "system('id')" code, bypassing the sandbox, the editor could generate a web page containing the following template directives: {% set arr = {'1':'system', '2':'foo'} %} {{ var_dump(grav.twig.twig_vars['config'].set('system.twig.safe_functions', arr)) }} {{ system('id') }} Once saved the malicious page could be accessed by unauthenticated users to execute the "system('id')" code on the remote server hosting the vulnerable Grav CMS.

Impact

It is possible to execute remote code on the underlying server and compromise it.

Tested version

Grav CMS v1.7.43

Reported by

Maurizio Siddu

Show details on source website

JSON

To clipboard

{
  "affected": [
    {
      "package": {
        "ecosystem": "Packagist",
        "name": "getgrav/grav"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "1.7.45"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2024-28116"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-1336",
      "CWE-94"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2024-03-22T16:30:26Z",
    "nvd_published_at": "2024-03-21T22:15:11Z",
    "severity": "HIGH"
  },
  "details": "### Summary\nGrav CMS is vulnerable to a Server-Side Template Injection (SSTI), which allows any authenticated user (editor permissions are sufficient) to execute arbitrary code on the remote server bypassing the existing security sandbox.\n\n### Details\nThe Grav CMS implements a custom sandbox to protect the powerful Twig methods \"registerUndefinedFunctionCallback()\" and \"registerUndefinedFilterCallback()\", in order to avoid SSTI attacks by denying the calling of dangerous PHP functions into the Twig template directives (such as: \"exec()\", \"passthru()\", \"system()\", etc.). \nThe current defenses are based on a blacklist of prohibited functions (PHP, Twig), checked through the \"isDangerousFunction()\" method called in the file \"system/src/Grav/Common/Twig.php\":\n\n```php\n...\n$this-\u003etwig = new TwigEnvironment($loader_chain, $params);\n\n$this-\u003etwig-\u003eregisterUndefinedFunctionCallback(function (string $name) use ($config) {\n    $allowed = $config-\u003eget(\u0027system.twig.safe_functions\u0027);\n    if (is_array($allowed) \u0026\u0026 in_array($name, $allowed, true) \u0026\u0026 function_exists($name)) {\n        return new TwigFunction($name, $name);\n    }\n    if ($config-\u003eget(\u0027system.twig.undefined_functions\u0027)) {\n        if (function_exists($name)) {\n            if (!Utils::isDangerousFunction($name)) {\n                user_error(\"PHP function {$name}() was used as Twig function. This is deprecated in Grav 1.7. Please add it to system configuration: `system.twig.safe_functions`\", E_USER_DEPRECATED);\n\n                return new TwigFunction($name, $name);\n            }\n\n           /** @var Debugger $debugger */\n           $debugger = $this-\u003egrav[\u0027debugger\u0027];\n           $debugger-\u003eaddException(new RuntimeException(\"Blocked potentially dangerous PHP function {$name}() being used as Twig function. If you really want to use it, please add it to system configuration: `system.twig.safe_functions`\"));\n        }\n\n        return new TwigFunction($name, static function () {});\n    }\n\n    return false;\n});\n\n$this-\u003etwig-\u003eregisterUndefinedFilterCallback(function (string $name) use ($config) {\n    $allowed = $config-\u003eget(\u0027system.twig.safe_filters\u0027);\n    if (is_array($allowed) \u0026\u0026 in_array($name, $allowed, true) \u0026\u0026 function_exists($name)) {\n        return new TwigFilter($name, $name);\n    }\n    if ($config-\u003eget(\u0027system.twig.undefined_filters\u0027)) {\n        if (function_exists($name)) {\n            if (!Utils::isDangerousFunction($name)) {\n                user_error(\"PHP function {$name}() used as Twig filter. This is deprecated in Grav 1.7. Please add it to system configuration: `system.twig.safe_filters`\", E_USER_DEPRECATED);\n                return new TwigFilter($name, $name);\n            }\n...\n```\nIn the code above it can be seen that the calls of the \"isDangerousFunction()\" are not performed when the method/filter in the \"$name\" variable has been considered safe. A function can be defined safe only by an administrator user, by adding it into the configuration properties \"system.twig.safe_functions\" and/or \"system.twig.safe_filters\" (a sort of whitelists that by default are empty) of the configuration file \"system/config/system.yaml\".\n\nIt is to note that within the \"system/src/Grav/Common/Twig.php\" file a Twig class is defined (with its constructor, methods and attributes) and in particular the Twig object (and environment) is instantiated on it:\n```php\n/**\n * Class Twig\n * @package Grav\\Common\\Twig\n */\nclass Twig\n{\n    /** @var Environment */\n    public $twig;\n    /** @var array */\n    public $twig_vars = [];\n    /** @var array */\n    public $twig_paths;\n    /** @var string */\n    public $template;\n...\n   /**\n     * Constructor\n     *\n     * @param Grav $grav\n     */\n    public function __construct(Grav $grav)\n    {\n        $this-\u003egrav = $grav;\n        $this-\u003etwig_paths = [];\n    }\n\n    /**\n     * Twig initialization that sets the twig loader chain, then the environment, then extensions\n     * and also the base set of twig vars\n     *\n     * @return $this\n     */\n    public function init()\n    {\n        if (null === $this-\u003etwig) {\n            /** @var Config $config */\n            $config = $this-\u003egrav[\u0027config\u0027];\n...\n```\nSince the security sandbox does not protect the Twig object it is possible to interact with it (e.g. call its methods, read/write its attributes) through opportunely crafted Twig template directives injected on a web page. \nThen an authenticated editor user could be able to add arbitrary functions into the Twig attributes \"system.twig.safe_functions\" and \"system.twig.safe_filters\" in order to circumvent the Grav CMS sandbox.\n\n\n### PoC\nAn authenticated user with the permissions to edit a page (having Twig processing enabled) on the Grav CMS admin console, could create/edit a web page containing a malicious template directive to execute arbitrary OS commands on the remote web server.\nFor instance, in order to abuse the vulnerability and execute the prohibited \"system(\u0027id\u0027)\" code, bypassing the sandbox, the editor could generate a web page containing the following template directives:\n```\n{% set arr = {\u00271\u0027:\u0027system\u0027, \u00272\u0027:\u0027foo\u0027} %}\n{{ var_dump(grav.twig.twig_vars[\u0027config\u0027].set(\u0027system.twig.safe_functions\u0027, arr)) }}\n{{ system(\u0027id\u0027) }}\n```\nOnce saved the malicious page could be accessed by unauthenticated users to execute the \"system(\u0027id\u0027)\" code on the remote server hosting the vulnerable Grav CMS.\n\n\n### Impact\nIt is possible to execute remote code on the underlying server and compromise it.\n\n\n### Tested version\nGrav CMS v1.7.43\n\n\n### Reported by\nMaurizio Siddu",
  "id": "GHSA-c9gp-64c4-2rrh",
  "modified": "2024-03-22T16:30:26Z",
  "published": "2024-03-22T16:30:26Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/getgrav/grav/security/advisories/GHSA-c9gp-64c4-2rrh"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-28116"
    },
    {
      "type": "WEB",
      "url": "https://github.com/getgrav/grav/commit/4149c81339274130742831422de2685f298f3a6e"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/getgrav/grav"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ],
  "summary": "Server-Side Template Injection (SSTI) with Grav CMS security sandbox bypass"
}

fkie_cve-2024-28116

Vulnerability from fkie_nvd

Published

2024-03-21 22:15

Modified

2025-01-02 22:57

Severity ?

8.8 (High) - CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
8.8 (High) - CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Summary

References

URL	Tags
security-advisories@github.com	https://github.com/getgrav/grav/commit/4149c81339274130742831422de2685f298f3a6e	Patch
security-advisories@github.com	https://github.com/getgrav/grav/security/advisories/GHSA-c9gp-64c4-2rrh	Exploit, Vendor Advisory
af854a3a-2127-422b-91ae-364da2661108	https://github.com/getgrav/grav/commit/4149c81339274130742831422de2685f298f3a6e	Patch
af854a3a-2127-422b-91ae-364da2661108	https://github.com/getgrav/grav/security/advisories/GHSA-c9gp-64c4-2rrh	Exploit, Vendor Advisory

Impacted products

	Vendor	Product	Version
	getgrav	grav	*

JSON

To clipboard

{
  "configurations": [
    {
      "nodes": [
        {
          "cpeMatch": [
            {
              "criteria": "cpe:2.3:a:getgrav:grav:*:*:*:*:*:*:*:*",
              "matchCriteriaId": "C9B96288-8090-4AF9-91EF-CBFCEB60039C",
              "versionEndExcluding": "1.7.45",
              "vulnerable": true
            }
          ],
          "negate": false,
          "operator": "OR"
        }
      ]
    }
  ],
  "cveTags": [],
  "descriptions": [
    {
      "lang": "en",
      "value": "Grav is an open-source, flat-file content management system. Grav CMS prior to version 1.7.45 is vulnerable to a Server-Side Template Injection (SSTI), which allows any authenticated user (editor permissions are sufficient) to execute arbitrary code on the remote server bypassing the existing security sandbox. Version 1.7.45 contains a patch for this issue."
    },
    {
      "lang": "es",
      "value": "Grav es un sistema de gesti\u00f3n de contenidos de archivos planos de c\u00f3digo abierto. Grav CMS anterior a la versi\u00f3n 1.7.45 es vulnerable a una inyecci\u00f3n de plantilla del lado del servidor (SSTI), que permite a cualquier usuario autenticado (los permisos del editor son suficientes) ejecutar c\u00f3digo arbitrario en el servidor remoto sin pasar por el entorno limitado de seguridad existente. La versi\u00f3n 1.7.45 contiene un parche para este problema."
    }
  ],
  "id": "CVE-2024-28116",
  "lastModified": "2025-01-02T22:57:51.510",
  "metrics": {
    "cvssMetricV31": [
      {
        "cvssData": {
          "attackComplexity": "LOW",
          "attackVector": "NETWORK",
          "availabilityImpact": "HIGH",
          "baseScore": 8.8,
          "baseSeverity": "HIGH",
          "confidentialityImpact": "HIGH",
          "integrityImpact": "HIGH",
          "privilegesRequired": "LOW",
          "scope": "UNCHANGED",
          "userInteraction": "NONE",
          "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
          "version": "3.1"
        },
        "exploitabilityScore": 2.8,
        "impactScore": 5.9,
        "source": "security-advisories@github.com",
        "type": "Secondary"
      },
      {
        "cvssData": {
          "attackComplexity": "LOW",
          "attackVector": "NETWORK",
          "availabilityImpact": "HIGH",
          "baseScore": 8.8,
          "baseSeverity": "HIGH",
          "confidentialityImpact": "HIGH",
          "integrityImpact": "HIGH",
          "privilegesRequired": "LOW",
          "scope": "UNCHANGED",
          "userInteraction": "NONE",
          "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
          "version": "3.1"
        },
        "exploitabilityScore": 2.8,
        "impactScore": 5.9,
        "source": "nvd@nist.gov",
        "type": "Primary"
      }
    ]
  },
  "published": "2024-03-21T22:15:11.577",
  "references": [
    {
      "source": "security-advisories@github.com",
      "tags": [
        "Patch"
      ],
      "url": "https://github.com/getgrav/grav/commit/4149c81339274130742831422de2685f298f3a6e"
    },
    {
      "source": "security-advisories@github.com",
      "tags": [
        "Exploit",
        "Vendor Advisory"
      ],
      "url": "https://github.com/getgrav/grav/security/advisories/GHSA-c9gp-64c4-2rrh"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "tags": [
        "Patch"
      ],
      "url": "https://github.com/getgrav/grav/commit/4149c81339274130742831422de2685f298f3a6e"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "tags": [
        "Exploit",
        "Vendor Advisory"
      ],
      "url": "https://github.com/getgrav/grav/security/advisories/GHSA-c9gp-64c4-2rrh"
    }
  ],
  "sourceIdentifier": "security-advisories@github.com",
  "vulnStatus": "Analyzed",
  "weaknesses": [
    {
      "description": [
        {
          "lang": "en",
          "value": "CWE-94"
        },
        {
          "lang": "en",
          "value": "CWE-1336"
        }
      ],
      "source": "security-advisories@github.com",
      "type": "Secondary"
    },
    {
      "description": [
        {
          "lang": "en",
          "value": "CWE-94"
        }
      ],
      "source": "nvd@nist.gov",
      "type": "Primary"
    }
  ]
}

Sightings

Author	Source	Type	Date

Nomenclature

Seen: The vulnerability was mentioned, discussed, or seen somewhere by the user.
Confirmed: The vulnerability is confirmed from an analyst perspective.
Exploited: This vulnerability was exploited and seen by the user reporting the sighting.
Patched: This vulnerability was successfully patched by the user reporting the sighting.
Not exploited: This vulnerability was not exploited or seen by the user reporting the sighting.
Not confirmed: The user expresses doubt about the veracity of the vulnerability.
Not patched: This vulnerability was not successfully patched by the user reporting the sighting.

Action not permitted

CVE-2024-28116 (GCVE-0-2024-28116)

Vulnerability from cvelistv5

gsd-2024-28116

Vulnerability from gsd

ghsa-c9gp-64c4-2rrh

Vulnerability from github

Summary

Details

PoC

Impact

Tested version

Reported by

fkie_cve-2024-28116

Vulnerability from fkie_nvd

Tags

Sightings

Nomenclature