CVE-2021-43836 (GCVE-0-2021-43836)

Vulnerability from cvelistv5 – Published: 2021-12-15 20:10 – Updated: 2024-08-04 04:10
VLAI?
Title
PHP file inclusion in the Sulu admin panel
Summary
Sulu is an open-source PHP content management system based on the Symfony framework. In affected versions an attacker can read arbitrary local files via a PHP file include. In a default configuration this also leads to remote code execution. The problem is patched with the Versions 1.6.44, 2.2.18, 2.3.8, 2.4.0. For users unable to upgrade overwrite the service `sulu_route.generator.expression_token_provider` and wrap the translator before passing it to the expression language.
Severity ?
8.5 (High)
CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:H
CWE
  • CWE-22 - Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')
Assigner
References
Impacted products
Vendor Product Version
sulu sulu Affected: < 1.6.44
Affected: >= 2.0.0, < 2.2.18
Affected: >= 2.3.0, < 2.3.8
Create a notification for this product.
Show details on NVD website
To clipboard 

{
  "containers": {
    "adp": [
      {
        "providerMetadata": {
          "dateUpdated": "2024-08-04T04:10:16.325Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "tags": [
              "x_refsource_CONFIRM",
              "x_transferred"
            ],
            "url": "https://github.com/sulu/sulu/security/advisories/GHSA-vx6j-pjrh-vgjh"
          },
          {
            "tags": [
              "x_refsource_MISC",
              "x_transferred"
            ],
            "url": "https://github.com/sulu/sulu/commit/9c948f9ce350c68b53af8c3910e2cefc7f722b54"
          }
        ],
        "title": "CVE Program Container"
      }
    ],
    "cna": {
      "affected": [
        {
          "product": "sulu",
          "vendor": "sulu",
          "versions": [
            {
              "status": "affected",
              "version": "\u003c 1.6.44"
            },
            {
              "status": "affected",
              "version": "\u003e= 2.0.0, \u003c 2.2.18"
            },
            {
              "status": "affected",
              "version": "\u003e= 2.3.0, \u003c 2.3.8"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "Sulu is an open-source PHP content management system based on the Symfony framework. In affected versions an attacker can read arbitrary local files via a PHP file include. In a default configuration this also leads to remote code execution. The problem is patched with the Versions 1.6.44, 2.2.18, 2.3.8, 2.4.0. For users unable to upgrade overwrite the service `sulu_route.generator.expression_token_provider` and wrap the translator before passing it to the expression language."
        }
      ],
      "metrics": [
        {
          "cvssV3_1": {
            "attackComplexity": "HIGH",
            "attackVector": "NETWORK",
            "availabilityImpact": "HIGH",
            "baseScore": 8.5,
            "baseSeverity": "HIGH",
            "confidentialityImpact": "HIGH",
            "integrityImpact": "HIGH",
            "privilegesRequired": "LOW",
            "scope": "CHANGED",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:H",
            "version": "3.1"
          }
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-22",
              "description": "CWE-22: Improper Limitation of a Pathname to a Restricted Directory (\u0027Path Traversal\u0027)",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2021-12-15T20:10:09",
        "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
        "shortName": "GitHub_M"
      },
      "references": [
        {
          "tags": [
            "x_refsource_CONFIRM"
          ],
          "url": "https://github.com/sulu/sulu/security/advisories/GHSA-vx6j-pjrh-vgjh"
        },
        {
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://github.com/sulu/sulu/commit/9c948f9ce350c68b53af8c3910e2cefc7f722b54"
        }
      ],
      "source": {
        "advisory": "GHSA-vx6j-pjrh-vgjh",
        "discovery": "UNKNOWN"
      },
      "title": "PHP file inclusion in the Sulu admin panel",
      "x_legacyV4Record": {
        "CVE_data_meta": {
          "ASSIGNER": "security-advisories@github.com",
          "ID": "CVE-2021-43836",
          "STATE": "PUBLIC",
          "TITLE": "PHP file inclusion in the Sulu admin panel"
        },
        "affects": {
          "vendor": {
            "vendor_data": [
              {
                "product": {
                  "product_data": [
                    {
                      "product_name": "sulu",
                      "version": {
                        "version_data": [
                          {
                            "version_value": "\u003c 1.6.44"
                          },
                          {
                            "version_value": "\u003e= 2.0.0, \u003c 2.2.18"
                          },
                          {
                            "version_value": "\u003e= 2.3.0, \u003c 2.3.8"
                          }
                        ]
                      }
                    }
                  ]
                },
                "vendor_name": "sulu"
              }
            ]
          }
        },
        "data_format": "MITRE",
        "data_type": "CVE",
        "data_version": "4.0",
        "description": {
          "description_data": [
            {
              "lang": "eng",
              "value": "Sulu is an open-source PHP content management system based on the Symfony framework. In affected versions an attacker can read arbitrary local files via a PHP file include. In a default configuration this also leads to remote code execution. The problem is patched with the Versions 1.6.44, 2.2.18, 2.3.8, 2.4.0. For users unable to upgrade overwrite the service `sulu_route.generator.expression_token_provider` and wrap the translator before passing it to the expression language."
            }
          ]
        },
        "impact": {
          "cvss": {
            "attackComplexity": "HIGH",
            "attackVector": "NETWORK",
            "availabilityImpact": "HIGH",
            "baseScore": 8.5,
            "baseSeverity": "HIGH",
            "confidentialityImpact": "HIGH",
            "integrityImpact": "HIGH",
            "privilegesRequired": "LOW",
            "scope": "CHANGED",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:H",
            "version": "3.1"
          }
        },
        "problemtype": {
          "problemtype_data": [
            {
              "description": [
                {
                  "lang": "eng",
                  "value": "CWE-22: Improper Limitation of a Pathname to a Restricted Directory (\u0027Path Traversal\u0027)"
                }
              ]
            }
          ]
        },
        "references": {
          "reference_data": [
            {
              "name": "https://github.com/sulu/sulu/security/advisories/GHSA-vx6j-pjrh-vgjh",
              "refsource": "CONFIRM",
              "url": "https://github.com/sulu/sulu/security/advisories/GHSA-vx6j-pjrh-vgjh"
            },
            {
              "name": "https://github.com/sulu/sulu/commit/9c948f9ce350c68b53af8c3910e2cefc7f722b54",
              "refsource": "MISC",
              "url": "https://github.com/sulu/sulu/commit/9c948f9ce350c68b53af8c3910e2cefc7f722b54"
            }
          ]
        },
        "source": {
          "advisory": "GHSA-vx6j-pjrh-vgjh",
          "discovery": "UNKNOWN"
        }
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
    "assignerShortName": "GitHub_M",
    "cveId": "CVE-2021-43836",
    "datePublished": "2021-12-15T20:10:10",
    "dateReserved": "2021-11-16T00:00:00",
    "dateUpdated": "2024-08-04T04:10:16.325Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1",
  "vulnerability-lookup:meta": {
    "fkie_nvd": {
      "configurations": "[{\"nodes\": [{\"operator\": \"OR\", \"negate\": false, \"cpeMatch\": [{\"vulnerable\": true, \"criteria\": \"cpe:2.3:a:sulu:sulu:*:*:*:*:*:*:*:*\", \"versionEndExcluding\": \"1.6.44\", \"matchCriteriaId\": \"838D4309-D6D9-4884-B6C7-F4529DD7AD68\"}, {\"vulnerable\": true, \"criteria\": \"cpe:2.3:a:sulu:sulu:*:*:*:*:*:*:*:*\", \"versionStartIncluding\": \"2.0.0\", \"versionEndExcluding\": \"2.2.18\", \"matchCriteriaId\": \"7B6E9B64-0B43-40AD-B0B4-C8BA5EEA6F31\"}, {\"vulnerable\": true, \"criteria\": \"cpe:2.3:a:sulu:sulu:*:*:*:*:*:*:*:*\", \"versionStartIncluding\": \"2.3.0\", \"versionEndExcluding\": \"2.3.8\", \"matchCriteriaId\": \"354C0B42-D950-497B-B3B7-09EA07063564\"}, {\"vulnerable\": true, \"criteria\": \"cpe:2.3:a:sulu:sulu:2.4.0:rc1:*:*:*:*:*:*\", \"matchCriteriaId\": \"2889EBAA-7A15-436C-9658-CA67F7122DC1\"}]}]}]",
      "descriptions": "[{\"lang\": \"en\", \"value\": \"Sulu is an open-source PHP content management system based on the Symfony framework. In affected versions an attacker can read arbitrary local files via a PHP file include. In a default configuration this also leads to remote code execution. The problem is patched with the Versions 1.6.44, 2.2.18, 2.3.8, 2.4.0. For users unable to upgrade overwrite the service `sulu_route.generator.expression_token_provider` and wrap the translator before passing it to the expression language.\"}, {\"lang\": \"es\", \"value\": \"Sulu es un sistema de administraci\\u00f3n de contenidos PHP de c\\u00f3digo abierto basado en el framework Symfony. En las versiones afectadas, un atacante puede leer archivos locales arbitrarios por medio de una inclusi\\u00f3n de archivos PHP. En una configuraci\\u00f3n por defecto esto tambi\\u00e9n conlleva a una ejecuci\\u00f3n de c\\u00f3digo remota. El problema est\\u00e1 parcheado con las versiones 1.6.44, 2.2.18, 2.3.8, 2.4.0. Para usuarios que no puedan actualizar sobrescribir el servicio \\\"sulu_route.generator.expression_token_provider\\\" y envolver el traductor antes de pasarlo al lenguaje de expresi\\u00f3n\"}]",
      "id": "CVE-2021-43836",
      "lastModified": "2024-11-21T06:29:53.840",
      "metrics": "{\"cvssMetricV31\": [{\"source\": \"security-advisories@github.com\", \"type\": \"Secondary\", \"cvssData\": {\"version\": \"3.1\", \"vectorString\": \"CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:H\", \"baseScore\": 8.5, \"baseSeverity\": \"HIGH\", \"attackVector\": \"NETWORK\", \"attackComplexity\": \"HIGH\", \"privilegesRequired\": \"LOW\", \"userInteraction\": \"NONE\", \"scope\": \"CHANGED\", \"confidentialityImpact\": \"HIGH\", \"integrityImpact\": \"HIGH\", \"availabilityImpact\": \"HIGH\"}, \"exploitabilityScore\": 1.8, \"impactScore\": 6.0}, {\"source\": \"nvd@nist.gov\", \"type\": \"Primary\", \"cvssData\": {\"version\": \"3.1\", \"vectorString\": \"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H\", \"baseScore\": 8.8, \"baseSeverity\": \"HIGH\", \"attackVector\": \"NETWORK\", \"attackComplexity\": \"LOW\", \"privilegesRequired\": \"LOW\", \"userInteraction\": \"NONE\", \"scope\": \"UNCHANGED\", \"confidentialityImpact\": \"HIGH\", \"integrityImpact\": \"HIGH\", \"availabilityImpact\": \"HIGH\"}, \"exploitabilityScore\": 2.8, \"impactScore\": 5.9}], \"cvssMetricV2\": [{\"source\": \"nvd@nist.gov\", \"type\": \"Primary\", \"cvssData\": {\"version\": \"2.0\", \"vectorString\": \"AV:N/AC:L/Au:S/C:P/I:P/A:P\", \"baseScore\": 6.5, \"accessVector\": \"NETWORK\", \"accessComplexity\": \"LOW\", \"authentication\": \"SINGLE\", \"confidentialityImpact\": \"PARTIAL\", \"integrityImpact\": \"PARTIAL\", \"availabilityImpact\": \"PARTIAL\"}, \"baseSeverity\": \"MEDIUM\", \"exploitabilityScore\": 8.0, \"impactScore\": 6.4, \"acInsufInfo\": false, \"obtainAllPrivilege\": false, \"obtainUserPrivilege\": false, \"obtainOtherPrivilege\": false, \"userInteractionRequired\": false}]}",
      "published": "2021-12-15T20:15:08.733",
      "references": "[{\"url\": \"https://github.com/sulu/sulu/commit/9c948f9ce350c68b53af8c3910e2cefc7f722b54\", \"source\": \"security-advisories@github.com\", \"tags\": [\"Patch\", \"Third Party Advisory\"]}, {\"url\": \"https://github.com/sulu/sulu/security/advisories/GHSA-vx6j-pjrh-vgjh\", \"source\": \"security-advisories@github.com\", \"tags\": [\"Third Party Advisory\"]}, {\"url\": \"https://github.com/sulu/sulu/commit/9c948f9ce350c68b53af8c3910e2cefc7f722b54\", \"source\": \"af854a3a-2127-422b-91ae-364da2661108\", \"tags\": [\"Patch\", \"Third Party Advisory\"]}, {\"url\": \"https://github.com/sulu/sulu/security/advisories/GHSA-vx6j-pjrh-vgjh\", \"source\": \"af854a3a-2127-422b-91ae-364da2661108\", \"tags\": [\"Third Party Advisory\"]}]",
      "sourceIdentifier": "security-advisories@github.com",
      "vulnStatus": "Modified",
      "weaknesses": "[{\"source\": \"security-advisories@github.com\", \"type\": \"Primary\", \"description\": [{\"lang\": \"en\", \"value\": \"CWE-22\"}]}]"
    },
    "nvd": "{\"cve\":{\"id\":\"CVE-2021-43836\",\"sourceIdentifier\":\"security-advisories@github.com\",\"published\":\"2021-12-15T20:15:08.733\",\"lastModified\":\"2024-11-21T06:29:53.840\",\"vulnStatus\":\"Modified\",\"cveTags\":[],\"descriptions\":[{\"lang\":\"en\",\"value\":\"Sulu is an open-source PHP content management system based on the Symfony framework. In affected versions an attacker can read arbitrary local files via a PHP file include. In a default configuration this also leads to remote code execution. The problem is patched with the Versions 1.6.44, 2.2.18, 2.3.8, 2.4.0. For users unable to upgrade overwrite the service `sulu_route.generator.expression_token_provider` and wrap the translator before passing it to the expression language.\"},{\"lang\":\"es\",\"value\":\"Sulu es un sistema de administraci\u00f3n de contenidos PHP de c\u00f3digo abierto basado en el framework Symfony. En las versiones afectadas, un atacante puede leer archivos locales arbitrarios por medio de una inclusi\u00f3n de archivos PHP. En una configuraci\u00f3n por defecto esto tambi\u00e9n conlleva a una ejecuci\u00f3n de c\u00f3digo remota. El problema est\u00e1 parcheado con las versiones 1.6.44, 2.2.18, 2.3.8, 2.4.0. Para usuarios que no puedan actualizar sobrescribir el servicio \\\"sulu_route.generator.expression_token_provider\\\" y envolver el traductor antes de pasarlo al lenguaje de expresi\u00f3n\"}],\"metrics\":{\"cvssMetricV31\":[{\"source\":\"security-advisories@github.com\",\"type\":\"Secondary\",\"cvssData\":{\"version\":\"3.1\",\"vectorString\":\"CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:H\",\"baseScore\":8.5,\"baseSeverity\":\"HIGH\",\"attackVector\":\"NETWORK\",\"attackComplexity\":\"HIGH\",\"privilegesRequired\":\"LOW\",\"userInteraction\":\"NONE\",\"scope\":\"CHANGED\",\"confidentialityImpact\":\"HIGH\",\"integrityImpact\":\"HIGH\",\"availabilityImpact\":\"HIGH\"},\"exploitabilityScore\":1.8,\"impactScore\":6.0},{\"source\":\"nvd@nist.gov\",\"type\":\"Primary\",\"cvssData\":{\"version\":\"3.1\",\"vectorString\":\"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H\",\"baseScore\":8.8,\"baseSeverity\":\"HIGH\",\"attackVector\":\"NETWORK\",\"attackComplexity\":\"LOW\",\"privilegesRequired\":\"LOW\",\"userInteraction\":\"NONE\",\"scope\":\"UNCHANGED\",\"confidentialityImpact\":\"HIGH\",\"integrityImpact\":\"HIGH\",\"availabilityImpact\":\"HIGH\"},\"exploitabilityScore\":2.8,\"impactScore\":5.9}],\"cvssMetricV2\":[{\"source\":\"nvd@nist.gov\",\"type\":\"Primary\",\"cvssData\":{\"version\":\"2.0\",\"vectorString\":\"AV:N/AC:L/Au:S/C:P/I:P/A:P\",\"baseScore\":6.5,\"accessVector\":\"NETWORK\",\"accessComplexity\":\"LOW\",\"authentication\":\"SINGLE\",\"confidentialityImpact\":\"PARTIAL\",\"integrityImpact\":\"PARTIAL\",\"availabilityImpact\":\"PARTIAL\"},\"baseSeverity\":\"MEDIUM\",\"exploitabilityScore\":8.0,\"impactScore\":6.4,\"acInsufInfo\":false,\"obtainAllPrivilege\":false,\"obtainUserPrivilege\":false,\"obtainOtherPrivilege\":false,\"userInteractionRequired\":false}]},\"weaknesses\":[{\"source\":\"security-advisories@github.com\",\"type\":\"Primary\",\"description\":[{\"lang\":\"en\",\"value\":\"CWE-22\"}]}],\"configurations\":[{\"nodes\":[{\"operator\":\"OR\",\"negate\":false,\"cpeMatch\":[{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:sulu:sulu:*:*:*:*:*:*:*:*\",\"versionEndExcluding\":\"1.6.44\",\"matchCriteriaId\":\"838D4309-D6D9-4884-B6C7-F4529DD7AD68\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:sulu:sulu:*:*:*:*:*:*:*:*\",\"versionStartIncluding\":\"2.0.0\",\"versionEndExcluding\":\"2.2.18\",\"matchCriteriaId\":\"7B6E9B64-0B43-40AD-B0B4-C8BA5EEA6F31\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:sulu:sulu:*:*:*:*:*:*:*:*\",\"versionStartIncluding\":\"2.3.0\",\"versionEndExcluding\":\"2.3.8\",\"matchCriteriaId\":\"354C0B42-D950-497B-B3B7-09EA07063564\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:sulu:sulu:2.4.0:rc1:*:*:*:*:*:*\",\"matchCriteriaId\":\"2889EBAA-7A15-436C-9658-CA67F7122DC1\"}]}]}],\"references\":[{\"url\":\"https://github.com/sulu/sulu/commit/9c948f9ce350c68b53af8c3910e2cefc7f722b54\",\"source\":\"security-advisories@github.com\",\"tags\":[\"Patch\",\"Third Party Advisory\"]},{\"url\":\"https://github.com/sulu/sulu/security/advisories/GHSA-vx6j-pjrh-vgjh\",\"source\":\"security-advisories@github.com\",\"tags\":[\"Third Party Advisory\"]},{\"url\":\"https://github.com/sulu/sulu/commit/9c948f9ce350c68b53af8c3910e2cefc7f722b54\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\",\"tags\":[\"Patch\",\"Third Party Advisory\"]},{\"url\":\"https://github.com/sulu/sulu/security/advisories/GHSA-vx6j-pjrh-vgjh\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\",\"tags\":[\"Third Party Advisory\"]}]}}"
  }
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.




Sightings

Author Source Type Date

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or observed by the user.
  • Confirmed: The vulnerability has been validated from an analyst's perspective.
  • Published Proof of Concept: A public proof of concept is available for this vulnerability.
  • Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
  • Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
  • Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
  • Not confirmed: The user expressed doubt about the validity of the vulnerability.
  • Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.



Detection rules are retrieved from Rulezet.