ghsa-g9rq-x4fj-f5hx
Vulnerability from github
Published
2020-03-13 20:21
Modified
2021-01-08 21:18
Severity ?
7.9 (High) - CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:C/C:H/I:H/A:L
Summary
Remote Code Execution Through Image Uploads in BookStack
Details

Impact

A user could upload PHP files through image upload functions, which would allow them to execute code on the host system remotely. They would then have the permissions of the PHP process.

This most impacts scenarios where non-trusted users are given permission to upload images in any area of the application.

Patches

The issue was addressed in a series of patches: v0.25.3, v0.25.4 and v0.25.5. Users should upgrade to at least v0.25.5 to avoid this patch but ideally the latest BookStack version as previous versions are un-supported.

Workarounds

Depending on BookStack version, you could use the local_secure image storage option, or use s3 or a similar compatible service.

Preventing direct execution of any php files, apart from the public/index.php file, though web-server configuration would also prevent this.

References

BookStack Beta v0.25.3 BookStack Beta v0.25.4 BookStack Beta v0.25.5

For more information

If you have any questions or comments about this advisory: * Open an issue in the BookStack GitHub repository. * Ask on the BookStack Discord chat. * Follow the BookStack Security advise to contact someone privately.

Show details on source website

To clipboard 

{
  "affected": [
    {
      "database_specific": {
        "last_known_affected_version_range": "\u003c 0.25.3"
      },
      "package": {
        "ecosystem": "Packagist",
        "name": "ssddanbrown/bookstack"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "0.25.5"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2020-5256"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-95"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2020-03-13T20:20:25Z",
    "nvd_published_at": null,
    "severity": "HIGH"
  },
  "details": "### Impact\n\nA user could upload PHP files through image upload functions, which would allow them to execute code on the host system remotely. They would then have the permissions of the PHP process.\n\nThis most impacts scenarios where non-trusted users are given permission to upload images in any area of the application. \n\n### Patches\n\nThe issue was addressed in a series of patches: v0.25.3, v0.25.4 and v0.25.5.\nUsers should upgrade to at least v0.25.5 to avoid this patch but ideally the latest BookStack version as previous versions are un-supported.\n\n### Workarounds\n\nDepending on BookStack version, you could use the [local_secure](https://www.bookstackapp.com/docs/admin/upload-config/#local-secure) image storage option, or use s3 or a similar compatible service.\n\nPreventing direct execution of any `php` files, apart from the `public/index.php` file, though web-server configuration would also prevent this.\n\n### References\n\n[BookStack Beta v0.25.3](https://github.com/BookStackApp/BookStack/releases/tag/v0.25.3)\n[BookStack Beta v0.25.4](https://github.com/BookStackApp/BookStack/releases/tag/v0.25.4)\n[BookStack Beta v0.25.5](https://github.com/BookStackApp/BookStack/releases/tag/v0.25.5)\n\n### For more information\n\nIf you have any questions or comments about this advisory:\n* Open an issue in [the BookStack GitHub repository](BookStackApp/BookStack/issues).\n* Ask on the [BookStack Discord chat](https://discord.gg/ztkBqR2).\n* Follow the [BookStack Security advise](https://github.com/BookStackApp/BookStack#-security) to contact someone privately.",
  "id": "GHSA-g9rq-x4fj-f5hx",
  "modified": "2021-01-08T21:18:55Z",
  "published": "2020-03-13T20:21:27Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/BookStackApp/BookStack/security/advisories/GHSA-g9rq-x4fj-f5hx"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2020-5256"
    },
    {
      "type": "WEB",
      "url": "https://github.com/BookStackApp/BookStack/releases/tag/v0.25.3"
    },
    {
      "type": "WEB",
      "url": "https://github.com/BookStackApp/BookStack/releases/tag/v0.25.4"
    },
    {
      "type": "WEB",
      "url": "https://github.com/BookStackApp/BookStack/releases/tag/v0.25.5"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:C/C:H/I:H/A:L",
      "type": "CVSS_V3"
    }
  ],
  "summary": "Remote Code Execution Through Image Uploads in BookStack"
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.




Sightings

Author Source Type Date

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or seen somewhere by the user.
  • Confirmed: The vulnerability is confirmed from an analyst perspective.
  • Exploited: This vulnerability was exploited and seen by the user reporting the sighting.
  • Patched: This vulnerability was successfully patched by the user reporting the sighting.
  • Not exploited: This vulnerability was not exploited or seen by the user reporting the sighting.
  • Not confirmed: The user expresses doubt about the veracity of the vulnerability.
  • Not patched: This vulnerability was not successfully patched by the user reporting the sighting.