GHSA-R87R-982Q-2C3Q

Vulnerability from github – Published: 2023-07-21 20:18 – Updated: 2023-07-21 20:18
VLAI?
Summary
Pimcore vulnerable to Exposure of Sensitive Information to an Unauthorized Actor
Details

Impact

Unauthorized users are able to obtain sensitive information about the system's runtime environment, features they have no permissions to access, etc.

Patches

Update to version 10.6.4 or apply this patch manually https://github.com/pimcore/pimcore/commit/0237527b3244d251fa5ecd4912dfe4f8b2125c54.patch

Workarounds

Apply patch https://github.com/pimcore/pimcore/commit/0237527b3244d251fa5ecd4912dfe4f8b2125c54.patch manually.

References

https://huntr.dev/bounties/be5e4d4c-1b0b-4c01-a1fc-00533135817c/

Severity ?
7.6 (High)
CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:L/A:L
Show details on source website
To clipboard 

{
  "affected": [
    {
      "package": {
        "ecosystem": "Packagist",
        "name": "pimcore/pimcore"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "10.6.4"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2023-3819"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-200"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2023-07-21T20:18:22Z",
    "nvd_published_at": "2023-07-21T15:15:10Z",
    "severity": "HIGH"
  },
  "details": "### Impact\nUnauthorized users are able to obtain sensitive information about the system\u0027s runtime environment, features they have no permissions to access, etc.\n\n### Patches\nUpdate to version 10.6.4 or apply this patch manually https://github.com/pimcore/pimcore/commit/0237527b3244d251fa5ecd4912dfe4f8b2125c54.patch\n\n### Workarounds\nApply patch https://github.com/pimcore/pimcore/commit/0237527b3244d251fa5ecd4912dfe4f8b2125c54.patch manually.\n\n### References\nhttps://huntr.dev/bounties/be5e4d4c-1b0b-4c01-a1fc-00533135817c/\n",
  "id": "GHSA-r87r-982q-2c3q",
  "modified": "2023-07-21T20:18:22Z",
  "published": "2023-07-21T20:18:22Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/pimcore/pimcore/security/advisories/GHSA-r87r-982q-2c3q"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-3819"
    },
    {
      "type": "WEB",
      "url": "https://github.com/pimcore/pimcore/commit/0237527b3244d251fa5ecd4912dfe4f8b2125c54"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/pimcore/pimcore"
    },
    {
      "type": "WEB",
      "url": "https://huntr.dev/bounties/be5e4d4c-1b0b-4c01-a1fc-00533135817c"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:L/A:L",
      "type": "CVSS_V3"
    }
  ],
  "summary": "Pimcore vulnerable to Exposure of Sensitive Information to an Unauthorized Actor"
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.




Sightings

Author Source Type Date

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or observed by the user.
  • Confirmed: The vulnerability has been validated from an analyst's perspective.
  • Published Proof of Concept: A public proof of concept is available for this vulnerability.
  • Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
  • Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
  • Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
  • Not confirmed: The user expressed doubt about the validity of the vulnerability.
  • Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.



Detection rules are retrieved from Rulezet.