CVE-2021-37334 - Vulnerability Details

Vendors	Products
Umbraco	Forms

Link	Providers
https://umbraco.com/blog/security-advisory-20th-of-july-2021-patch-is-now-available/
https://umbraco.com/blog/security-advisory-security-patches-for-umbraco-forms-ready-on-july-20th-2021-at-7-am-utc/

{"containers": {"cna": {"affected": [{"product": "n/a", "vendor": "n/a", "versions": [{"status": "affected", "version": "n/a"}]}], "descriptions": [{"lang": "en", "value": "Umbraco Forms version 4.0.0 up to and including 8.7.5 and below are vulnerable to a security flaw that could lead to a remote code execution attack and/or arbitrary file deletion. A vulnerability occurs because validation of the file extension is performed after the file has been stored in a temporary directory. By default, files are stored within the application directory structure at %BASEDIR%/APP_DATA/TEMP/FileUploads/. Whilst access to this directory is restricted by the root web.config file, it is possible to override this restriction by uploading another specially crafted web.config file to the temporary directory. It is possible to exploit this flaw to upload a malicious script file to execute arbitrary code and system commands on the server."}], "problemTypes": [{"descriptions": [{"description": "n/a", "lang": "en", "type": "text"}]}], "providerMetadata": {"dateUpdated": "2021-11-22T20:27:43", "orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "shortName": "mitre"}, "references": [{"tags": ["x_refsource_MISC"], "url": "https://umbraco.com/blog/security-advisory-security-patches-for-umbraco-forms-ready-on-july-20th-2021-at-7-am-utc/"}, {"tags": ["x_refsource_MISC"], "url": "https://umbraco.com/blog/security-advisory-20th-of-july-2021-patch-is-now-available/"}], "x_legacyV4Record": {"CVE_data_meta": {"ASSIGNER": "cve@mitre.org", "ID": "CVE-2021-37334", "STATE": "PUBLIC"}, "affects": {"vendor": {"vendor_data": [{"product": {"product_data": [{"product_name": "n/a", "version": {"version_data": [{"version_value": "n/a"}]}}]}, "vendor_name": "n/a"}]}}, "data_format": "MITRE", "data_type": "CVE", "data_version": "4.0", "description": {"description_data": [{"lang": "eng", "value": "Umbraco Forms version 4.0.0 up to and including 8.7.5 and below are vulnerable to a security flaw that could lead to a remote code execution attack and/or arbitrary file deletion. A vulnerability occurs because validation of the file extension is performed after the file has been stored in a temporary directory. By default, files are stored within the application directory structure at %BASEDIR%/APP_DATA/TEMP/FileUploads/. Whilst access to this directory is restricted by the root web.config file, it is possible to override this restriction by uploading another specially crafted web.config file to the temporary directory. It is possible to exploit this flaw to upload a malicious script file to execute arbitrary code and system commands on the server."}]}, "problemtype": {"problemtype_data": [{"description": [{"lang": "eng", "value": "n/a"}]}]}, "references": {"reference_data": [{"name": "https://umbraco.com/blog/security-advisory-security-patches-for-umbraco-forms-ready-on-july-20th-2021-at-7-am-utc/", "refsource": "MISC", "url": "https://umbraco.com/blog/security-advisory-security-patches-for-umbraco-forms-ready-on-july-20th-2021-at-7-am-utc/"}, {"name": "https://umbraco.com/blog/security-advisory-20th-of-july-2021-patch-is-now-available/", "refsource": "MISC", "url": "https://umbraco.com/blog/security-advisory-20th-of-july-2021-patch-is-now-available/"}]}}}, "adp": [{"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-04T01:16:03.860Z"}, "title": "CVE Program Container", "references": [{"tags": ["x_refsource_MISC", "x_transferred"], "url": "https://umbraco.com/blog/security-advisory-security-patches-for-umbraco-forms-ready-on-july-20th-2021-at-7-am-utc/"}, {"tags": ["x_refsource_MISC", "x_transferred"], "url": "https://umbraco.com/blog/security-advisory-20th-of-july-2021-patch-is-now-available/"}]}]}, "cveMetadata": {"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "assignerShortName": "mitre", "cveId": "CVE-2021-37334", "datePublished": "2021-08-25T21:16:01", "dateReserved": "2021-07-21T00:00:00", "dateUpdated": "2024-08-04T01:16:03.860Z", "state": "PUBLISHED"}, "dataType": "CVE_RECORD", "dataVersion": "5.1"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:umbraco:forms:*:*:*:*:*:*:*:*", "matchCriteriaId": "14CCAF6C-E817-40A1-BD3A-F7FD88B5F1D2", "versionEndExcluding": "4.4.9", "versionStartIncluding": "4.0.0", "vulnerable": true}, {"criteria": "cpe:2.3:a:umbraco:forms:*:*:*:*:*:*:*:*", "matchCriteriaId": "66BDB482-9007-489E-9579-1AFF853B0B34", "versionEndExcluding": "6.0.10", "versionStartIncluding": "6.0.0", "vulnerable": true}, {"criteria": "cpe:2.3:a:umbraco:forms:*:*:*:*:*:*:*:*", "matchCriteriaId": "E3FA214C-5045-47C1-8DB5-F55480E931E7", "versionEndExcluding": "7.0.7", "versionStartIncluding": "7.0.0", "vulnerable": true}, {"criteria": "cpe:2.3:a:umbraco:forms:*:*:*:*:*:*:*:*", "matchCriteriaId": "7B77F3EF-5A06-4A46-AC9A-1510A0C1159F", "versionEndExcluding": "7.1.4", "versionStartIncluding": "7.1.0", "vulnerable": true}, {"criteria": "cpe:2.3:a:umbraco:forms:*:*:*:*:*:*:*:*", "matchCriteriaId": "F5DAE08E-080B-4F33-8013-B78DD771D16B", "versionEndExcluding": "7.2.1", "versionStartIncluding": "7.2.0", "vulnerable": true}, {"criteria": "cpe:2.3:a:umbraco:forms:*:*:*:*:*:*:*:*", "matchCriteriaId": "14F64867-A85F-40EE-B139-27A719862C90", "versionEndExcluding": "7.3.2", "versionStartIncluding": "7.3.0", "vulnerable": true}, {"criteria": "cpe:2.3:a:umbraco:forms:*:*:*:*:*:*:*:*", "matchCriteriaId": "CFD28213-A9A8-4B89-B853-162F6D786429", "versionEndExcluding": "7.4.3", "versionStartIncluding": "7.4.0", "vulnerable": true}, {"criteria": "cpe:2.3:a:umbraco:forms:*:*:*:*:*:*:*:*", "matchCriteriaId": "8F74A196-289B-42A1-B9A8-780E9E45DCD6", "versionEndExcluding": "7.5.4", "versionStartIncluding": "7.5.0", "vulnerable": true}, {"criteria": "cpe:2.3:a:umbraco:forms:*:*:*:*:*:*:*:*", "matchCriteriaId": "BD9A4DE4-D6C8-402C-832A-8D8C0F226E3B", "versionEndExcluding": "8.0.2", "versionStartIncluding": "8.0.0", "vulnerable": true}, {"criteria": "cpe:2.3:a:umbraco:forms:*:*:*:*:*:*:*:*", "matchCriteriaId": "8B48A846-EB35-4A76-BED9-10D500D0ABCB", "versionEndExcluding": "8.1.6", "versionStartIncluding": "8.1.0", "vulnerable": true}, {"criteria": "cpe:2.3:a:umbraco:forms:*:*:*:*:*:*:*:*", "matchCriteriaId": "0A9AC679-11B7-488F-BEAD-DF415AA9DCEE", "versionEndExcluding": "8.2.3", "versionStartIncluding": "8.2.0", "vulnerable": true}, {"criteria": "cpe:2.3:a:umbraco:forms:*:*:*:*:*:*:*:*", "matchCriteriaId": "AED97B97-4C76-4D45-9F2F-D2D4A00CB416", "versionEndExcluding": "8.3.4", "versionStartIncluding": "8.3.0", "vulnerable": true}, {"criteria": "cpe:2.3:a:umbraco:forms:*:*:*:*:*:*:*:*", "matchCriteriaId": "02F6AFC6-E981-49D3-B9CE-54339301C56E", "versionEndExcluding": "8.4.4", "versionStartIncluding": "8.4.0", "vulnerable": true}, {"criteria": "cpe:2.3:a:umbraco:forms:*:*:*:*:*:*:*:*", "matchCriteriaId": "7F7B1A63-11D9-49B2-986B-648A9EE2B685", "versionEndExcluding": "8.5.7", "versionStartIncluding": "8.5.0", "vulnerable": true}, {"criteria": "cpe:2.3:a:umbraco:forms:*:*:*:*:*:*:*:*", "matchCriteriaId": "3D7374D6-1DE1-4CC1-BAD1-054EBAD0E26A", "versionEndExcluding": "8.6.2", "versionStartIncluding": "8.6.0", "vulnerable": true}, {"criteria": "cpe:2.3:a:umbraco:forms:*:*:*:*:*:*:*:*", "matchCriteriaId": "CA322ABD-2D97-4428-9116-E52D318D07CF", "versionEndExcluding": "8.7.6", "versionStartIncluding": "8.7.0", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "descriptions": [{"lang": "en", "value": "Umbraco Forms version 4.0.0 up to and including 8.7.5 and below are vulnerable to a security flaw that could lead to a remote code execution attack and/or arbitrary file deletion. A vulnerability occurs because validation of the file extension is performed after the file has been stored in a temporary directory. By default, files are stored within the application directory structure at %BASEDIR%/APP_DATA/TEMP/FileUploads/. Whilst access to this directory is restricted by the root web.config file, it is possible to override this restriction by uploading another specially crafted web.config file to the temporary directory. It is possible to exploit this flaw to upload a malicious script file to execute arbitrary code and system commands on the server."}, {"lang": "es", "value": "Las versiones de Umbraco Forms 4.0.0 hasta la 8.7.5 e inferiores son vulnerables a un fallo de seguridad que podr\u00eda dar lugar a un ataque de ejecuci\u00f3n remota de c\u00f3digo y/o eliminaci\u00f3n arbitraria de archivos. La vulnerabilidad se produce porque la validaci\u00f3n de la extensi\u00f3n del archivo se realiza despu\u00e9s de que el archivo se haya almacenado en un directorio temporal. Por defecto, los archivos se almacenan dentro de la estructura de directorios de la aplicaci\u00f3n en %BASEDIR%/APP_DATA/TEMP/FileUploads/. Aunque el acceso a este directorio est\u00e1 restringido por el archivo web.config ra\u00edz, es posible anular esta restricci\u00f3n cargando otro archivo web.config especialmente dise\u00f1ado en el directorio temporal. Es posible explotar este fallo para subir un archivo de script malicioso para ejecutar c\u00f3digo arbitrario y comandos del sistema en el servidor"}], "id": "CVE-2021-37334", "lastModified": "2024-11-21T06:14:58.420", "metrics": {"cvssMetricV2": [{"acInsufInfo": false, "baseSeverity": "HIGH", "cvssData": {"accessComplexity": "MEDIUM", "accessVector": "NETWORK", "authentication": "NONE", "availabilityImpact": "COMPLETE", "baseScore": 9.3, "confidentialityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0"}, "exploitabilityScore": 8.6, "impactScore": 10.0, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "source": "nvd@nist.gov", "type": "Primary", "userInteractionRequired": false}], "cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 9.8, "baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 5.9, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2021-08-25T22:15:07.123", "references": [{"source": "cve@mitre.org", "tags": ["Patch", "Vendor Advisory"], "url": "https://umbraco.com/blog/security-advisory-20th-of-july-2021-patch-is-now-available/"}, {"source": "cve@mitre.org", "tags": ["Vendor Advisory"], "url": "https://umbraco.com/blog/security-advisory-security-patches-for-umbraco-forms-ready-on-july-20th-2021-at-7-am-utc/"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Patch", "Vendor Advisory"], "url": "https://umbraco.com/blog/security-advisory-20th-of-july-2021-patch-is-now-available/"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Vendor Advisory"], "url": "https://umbraco.com/blog/security-advisory-security-patches-for-umbraco-forms-ready-on-july-20th-2021-at-7-am-utc/"}], "sourceIdentifier": "cve@mitre.org", "vulnStatus": "Modified", "weaknesses": [{"description": [{"lang": "en", "value": "NVD-CWE-noinfo"}], "source": "nvd@nist.gov", "type": "Primary"}]}

Metrics

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact High

Integrity Impact High

Availability Impact High

User Interaction None

Access Vector Network

Access Complexity Medium

Authentication None

Confidentiality Impact Complete

Integrity Impact Complete

Availability Impact Complete

Affected Vendors & Products

Metrics

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact High

Integrity Impact High

Availability Impact High

User Interaction None

Access Vector Network

Access Complexity Medium

Authentication None

Confidentiality Impact Complete

Integrity Impact Complete

Availability Impact Complete

Affected Vendors & Products

JSON object

JSON object

JSON object

JSON object