GHSA-VX6J-PJRH-VGJH

Vulnerability from github – Published: 2021-12-15 22:54 – Updated: 2021-12-15 22:27
VLAI?
Summary
PHP file inclusion in the Sulu admin panel
Details

Impact

What kind of vulnerability is it? Who is impacted?

An attacker can read arbitrary local files via a PHP file include. In a default configuration this also leads to remote code execution.

  • Compromised components: Arbitrary file read on the server, (Potential) Remote code execution
  • Exploitation pre-requisite: User account on the backend

Patches

Has the problem been patched? What versions should users upgrade to?

The problem is patched with the Versions 1.6.44, 2.2.18, 2.3.8, 2.4.0

Workarounds

Is there a way for users to fix or remediate the vulnerability without upgrading?

Overwrite the service sulu_route.generator.expression_token_provider and wrap the translator before passing it to the expression language.

References

Are there any links users can visit to find out more?

Currently not.

For more information

If you have any questions or comments about this advisory: * Open an issue in example link to repo * Email us at example email address

Severity ?
8.5 (High)
CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:H
Show details on source website
To clipboard 

{
  "affected": [
    {
      "package": {
        "ecosystem": "Packagist",
        "name": "sulu/sulu"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "1.6.44"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "Packagist",
        "name": "sulu/sulu"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "2.0.0"
            },
            {
              "fixed": "2.2.18"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "Packagist",
        "name": "sulu/sulu"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "2.3.0"
            },
            {
              "fixed": "2.3.8"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "Packagist",
        "name": "sulu/sulu"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "2.4.0-RC1"
            },
            {
              "fixed": "2.4.0"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ],
      "versions": [
        "2.4.0-RC1"
      ]
    }
  ],
  "aliases": [
    "CVE-2021-43836"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-22"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2021-12-15T22:27:31Z",
    "nvd_published_at": "2021-12-15T20:15:00Z",
    "severity": "HIGH"
  },
  "details": "### Impact\n_What kind of vulnerability is it? Who is impacted?_\n\nAn attacker can read arbitrary local files via a PHP file include. In a default configuration this also leads to remote code execution.\n\n* Compromised components: Arbitrary file read on the server, (Potential) Remote code execution\n* Exploitation pre-requisite: User account on the backend\n\n### Patches\n\n_Has the problem been patched? What versions should users upgrade to?_\n\nThe problem is patched with the Versions 1.6.44, 2.2.18, 2.3.8, 2.4.0\n\n### Workarounds\n\n_Is there a way for users to fix or remediate the vulnerability without upgrading?_\n\nOverwrite the service `sulu_route.generator.expression_token_provider` and wrap the translator before passing it to the expression language. \n\n### References\n\n_Are there any links users can visit to find out more?_\n\nCurrently not.\n\n### For more information\nIf you have any questions or comments about this advisory:\n* Open an issue in [example link to repo](http://example.com)\n* Email us at [example email address](mailto:example@example.com)\n",
  "id": "GHSA-vx6j-pjrh-vgjh",
  "modified": "2021-12-15T22:27:31Z",
  "published": "2021-12-15T22:54:20Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/sulu/sulu/security/advisories/GHSA-vx6j-pjrh-vgjh"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-43836"
    },
    {
      "type": "WEB",
      "url": "https://github.com/sulu/sulu/commit/9c948f9ce350c68b53af8c3910e2cefc7f722b54"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/sulu/sulu"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ],
  "summary": "PHP file inclusion in the Sulu admin panel"
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.




Sightings

Author Source Type Date

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or observed by the user.
  • Confirmed: The vulnerability has been validated from an analyst's perspective.
  • Published Proof of Concept: A public proof of concept is available for this vulnerability.
  • Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
  • Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
  • Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
  • Not confirmed: The user expressed doubt about the validity of the vulnerability.
  • Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.



Detection rules are retrieved from Rulezet.