GHSA-4HXW-GC2Q-F6F3

Vulnerability from github – Published: 2024-11-07 16:14 – Updated: 2024-11-08 22:01
VLAI?
Summary
Filament has exported files stored in default (`public`) filesystem if not reconfigured
Details

Summary

All Filament features that interact with storage use the default_filesystem_disk config option. This allows the user to easily swap their storage driver to something production-ready like s3 when deploying their app, without having to touch multiple configuration options and potentially forgetting about some.

The default disk is set to public when you first install Filament, since this allows users to quickly get started developing with a functional disk that allows features such as file upload previews locally without the need to set up an S3 disk with temporary URL support.

However, some features of Filament such as exports also rely on storage, and the files that are stored contain data that should often not be public. This is not an issue for the many deployed applications, since many use a secure default disk such as S3 in production. However, CWE-1188 suggests that having the public disk as the default disk in Filament is a security vulnerability itself:

Developers often choose default values that leave the product as open and easy to use as possible out-of-the-box, under the assumption that the administrator can (or should) change the default value. However, this ease-of-use comes at a cost when the default is insecure and the administrator does not change it.

As such, we have implemented a measure to protect users whereby if the public disk is set as the default disk, the exports feature will automatically swap it out for the local disk, if that exists. Users who set the default disk to local or s3 already are not affected. If a user wants to continue to use the public disk for exports, they can by setting the export disk deliberately.

Details

Product: filament/actions Version: >=3.2 CWE-ID:CWE-1188: Initialization of a Resource with an Insecure Default Description: The default configuration saves export files to a public disk, allowing unauthorized users to download exported data. Impact: Reading export files without access control Vulnerable component: https://github.com/filamentphp/filament/blob/3.x/packages/actions/src/Exports/Exporter.php#L144-L153 Exploitation conditions: Unauthorized user Researcher: Vladislav Gladky (Positive Technologies)

Severity ?
2.4 (Low)
CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:U/C:L/I:N/A:N
2.3 (Low)
CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:P/VC:L/VI:N/VA:N/SC:L/SI:N/SA:N
Show details on source website
To clipboard 

{
  "affected": [
    {
      "package": {
        "ecosystem": "Packagist",
        "name": "filament/actions"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "3.2.0"
            },
            {
              "fixed": "3.2.123"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2024-51758"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-1188"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2024-11-07T16:14:13Z",
    "nvd_published_at": "2024-11-07T18:15:17Z",
    "severity": "LOW"
  },
  "details": "### Summary\n\nAll Filament features that interact with storage use the `default_filesystem_disk` config option. This allows the user to easily swap their storage driver to something production-ready like `s3` when deploying their app, without having to touch multiple configuration options and potentially forgetting about some.\n\nThe default disk is set to `public` when you first install Filament, since this allows users to quickly get started developing with a functional disk that allows features such as file upload previews locally without the need to set up an S3 disk with temporary URL support.\n\nHowever, some features of Filament such as exports also rely on storage, and the files that are stored contain data that should often not be public. This is not an issue for the many deployed applications, since many use a secure default disk such as S3 in production. However, [CWE-1188](https://cwe.mitre.org/data/definitions/1188.html) suggests that having the `public` disk as the default disk in Filament is a security vulnerability itself:\n\n\u003e Developers often choose default values that leave the product as open and easy to use as possible out-of-the-box, under the assumption that the administrator can (or should) change the default value. However, this ease-of-use comes at a cost when the default is insecure and the administrator does not change it.\n\nAs such, we have implemented a measure to protect users whereby if the `public` disk is set as the default disk, the exports feature will automatically swap it out for the `local` disk, if that exists. Users who set the default disk to `local` or `s3` already are not affected. If a user wants to continue to use the `public` disk for exports, they can by [setting the export disk](https://filamentphp.com/docs/3.x/actions/prebuilt-actions/export#customizing-the-storage-disk) deliberately.\n\n### Details\n\n**Product:** filament/actions\n**Version:** \u003e=3.2\n**CWE-ID:**[CWE-1188](https://cwe.mitre.org/data/definitions/1188.html): Initialization of a Resource with an Insecure Default\n**Description:** The default configuration saves export files to a public disk, allowing unauthorized users to download exported data.\n**Impact:** Reading export files without access control\n**Vulnerable component:**\nhttps://github.com/filamentphp/filament/blob/3.x/packages/actions/src/Exports/Exporter.php#L144-L153\n**Exploitation conditions:** Unauthorized user\n**Researcher:** Vladislav Gladky (Positive Technologies)",
  "id": "GHSA-4hxw-gc2q-f6f3",
  "modified": "2024-11-08T22:01:56Z",
  "published": "2024-11-07T16:14:13Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/filamentphp/filament/security/advisories/GHSA-4hxw-gc2q-f6f3"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-51758"
    },
    {
      "type": "WEB",
      "url": "https://github.com/filamentphp/filament/commit/19f5347f0e17d9f4eb515e24ea5632031c6829df"
    },
    {
      "type": "WEB",
      "url": "https://filamentphp.com/docs/3.x/actions/prebuilt-actions/export#customizing-the-storage-disk"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/filamentphp/filament"
    },
    {
      "type": "WEB",
      "url": "https://github.com/filamentphp/filament/blob/3.x/packages/actions/src/Exports/Exporter.php#L144-L153"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:U/C:L/I:N/A:N",
      "type": "CVSS_V3"
    },
    {
      "score": "CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:P/VC:L/VI:N/VA:N/SC:L/SI:N/SA:N",
      "type": "CVSS_V4"
    }
  ],
  "summary": "Filament has exported files stored in default (`public`) filesystem if not reconfigured"
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.




Sightings

Author Source Type Date

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or observed by the user.
  • Confirmed: The vulnerability has been validated from an analyst's perspective.
  • Published Proof of Concept: A public proof of concept is available for this vulnerability.
  • Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
  • Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
  • Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
  • Not confirmed: The user expressed doubt about the validity of the vulnerability.
  • Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.



Detection rules are retrieved from Rulezet.