CVE-2022-21829 - OpenCVE

Concrete CMS Versions 9.0.0 through 9.0.2 and 8.5.7 and below can download zip files over HTTP and execute code from those zip files which could lead to an RCE. Fixed by enforcing ‘concrete_secure’ instead of ‘concrete’. Concrete now only makes requests over https even a request comes in via http. Concrete CMS security team ranked this 8 with CVSS v3.1 vector: AV:N/AC:H/PR:H/UI:N/S:C/C:H/I:H/A:H Credit goes to Anna for reporting HackerOne 1482520.

No CVSS v4.0

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact High

Integrity Impact High

Availability Impact High

User Interaction None

No CVSS v3.0

Access Vector Network

Access Complexity Low

Authentication None

Confidentiality Impact Partial

Integrity Impact Partial

Availability Impact Partial

AV:N/AC:L/Au:N/C:P/I:P/A:P

This CVE is not in the KEV list.

Key SSVC decision points have not yet been added.

Vendors	Products
Concretecms	Concrete Cms

Configuration 1 [-]

OR	cpe:2.3:a:concretecms:concrete_cms::::::::
	cpe:2.3:a:concretecms:concrete_cms::::::::

No data.

References

Link	Providers
https://documentation.concretecms.org/developers/introduction/version-history/858-release-notes
https://documentation.concretecms.org/developers/introduction/version-history/910-release-notes%2C
https://hackerone.com/reports/1482520%2C

History

No history.

MITRE

Status: PUBLISHED

Assigner: hackerone

Published: 2022-06-24T15:00:05

Updated: 2024-08-03T02:53:36.288Z

Reserved: 2021-12-10T00:00:00

Link: CVE-2022-21829

Vulnrichment

No data.

NVD

Status : Modified

Published: 2022-06-24T15:15:10.143

Modified: 2023-11-07T03:43:44.213

Link: CVE-2022-21829

Redhat

No data.

{"containers": {"cna": {"affected": [{"product": "https://github.com/concrete5/concrete5", "vendor": "n/a", "versions": [{"status": "affected", "version": "Remediated in Concrete CMS 8.5.8 and 9.1.0. Affected Versions are Concrete 8.5.7 and below as well as Concrete 9.0 through 9.0.2"}]}], "descriptions": [{"lang": "en", "value": "Concrete CMS Versions 9.0.0 through 9.0.2 and 8.5.7 and below can download zip files over HTTP and execute code from those zip files which could lead to an RCE. Fixed by enforcing \u2018concrete_secure\u2019 instead of \u2018concrete\u2019. Concrete now only makes requests over https even a request comes in via http. Concrete CMS security team ranked this 8 with CVSS v3.1 vector: AV:N/AC:H/PR:H/UI:N/S:C/C:H/I:H/A:H Credit goes to Anna for reporting HackerOne 1482520."}], "problemTypes": [{"descriptions": [{"cweId": "CWE-319", "description": "Cleartext Transmission of Sensitive Information (CWE-319)", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"dateUpdated": "2022-06-24T15:00:05", "orgId": "36234546-b8fa-4601-9d6f-f4e334aa8ea1", "shortName": "hackerone"}, "references": [{"tags": ["x_refsource_MISC"], "url": "https://documentation.concretecms.org/developers/introduction/version-history/858-release-notes"}, {"tags": ["x_refsource_MISC"], "url": "https://hackerone.com/reports/1482520%2C"}, {"tags": ["x_refsource_MISC"], "url": "https://documentation.concretecms.org/developers/introduction/version-history/910-release-notes%2C"}], "x_legacyV4Record": {"CVE_data_meta": {"ASSIGNER": "support@hackerone.com", "ID": "CVE-2022-21829", "STATE": "PUBLIC"}, "affects": {"vendor": {"vendor_data": [{"product": {"product_data": [{"product_name": "https://github.com/concrete5/concrete5", "version": {"version_data": [{"version_value": "Remediated in Concrete CMS 8.5.8 and 9.1.0. Affected Versions are Concrete 8.5.7 and below as well as Concrete 9.0 through 9.0.2"}]}}]}, "vendor_name": "n/a"}]}}, "data_format": "MITRE", "data_type": "CVE", "data_version": "4.0", "description": {"description_data": [{"lang": "eng", "value": "Concrete CMS Versions 9.0.0 through 9.0.2 and 8.5.7 and below can download zip files over HTTP and execute code from those zip files which could lead to an RCE. Fixed by enforcing \u2018concrete_secure\u2019 instead of \u2018concrete\u2019. Concrete now only makes requests over https even a request comes in via http. Concrete CMS security team ranked this 8 with CVSS v3.1 vector: AV:N/AC:H/PR:H/UI:N/S:C/C:H/I:H/A:H Credit goes to Anna for reporting HackerOne 1482520."}]}, "problemtype": {"problemtype_data": [{"description": [{"lang": "eng", "value": "Cleartext Transmission of Sensitive Information (CWE-319)"}]}]}, "references": {"reference_data": [{"name": "https://documentation.concretecms.org/developers/introduction/version-history/858-release-notes", "refsource": "MISC", "url": "https://documentation.concretecms.org/developers/introduction/version-history/858-release-notes"}, {"name": "https://hackerone.com/reports/1482520,", "refsource": "MISC", "url": "https://hackerone.com/reports/1482520,"}, {"name": "https://documentation.concretecms.org/developers/introduction/version-history/910-release-notes,", "refsource": "MISC", "url": "https://documentation.concretecms.org/developers/introduction/version-history/910-release-notes,"}]}}}, "adp": [{"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-03T02:53:36.288Z"}, "title": "CVE Program Container", "references": [{"tags": ["x_refsource_MISC", "x_transferred"], "url": "https://documentation.concretecms.org/developers/introduction/version-history/858-release-notes"}, {"tags": ["x_refsource_MISC", "x_transferred"], "url": "https://hackerone.com/reports/1482520%2C"}, {"tags": ["x_refsource_MISC", "x_transferred"], "url": "https://documentation.concretecms.org/developers/introduction/version-history/910-release-notes%2C"}]}]}, "cveMetadata": {"assignerOrgId": "36234546-b8fa-4601-9d6f-f4e334aa8ea1", "assignerShortName": "hackerone", "cveId": "CVE-2022-21829", "datePublished": "2022-06-24T15:00:05", "dateReserved": "2021-12-10T00:00:00", "dateUpdated": "2024-08-03T02:53:36.288Z", "state": "PUBLISHED"}, "dataType": "CVE_RECORD", "dataVersion": "5.1"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:concretecms:concrete_cms:*:*:*:*:*:*:*:*", "matchCriteriaId": "D821B974-A48F-4925-B849-55AC51A0BE0A", "versionEndExcluding": "8.5.8", "vulnerable": true}, {"criteria": "cpe:2.3:a:concretecms:concrete_cms:*:*:*:*:*:*:*:*", "matchCriteriaId": "E6E5829D-AFD1-4C1B-9E53-400D09956577", "versionEndExcluding": "9.1.0", "versionStartIncluding": "9.0.0", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "Concrete CMS Versions 9.0.0 through 9.0.2 and 8.5.7 and below can download zip files over HTTP and execute code from those zip files which could lead to an RCE. Fixed by enforcing \u2018concrete_secure\u2019 instead of \u2018concrete\u2019. Concrete now only makes requests over https even a request comes in via http. Concrete CMS security team ranked this 8 with CVSS v3.1 vector: AV:N/AC:H/PR:H/UI:N/S:C/C:H/I:H/A:H Credit goes to Anna for reporting HackerOne 1482520."}, {"lang": "es", "value": "Concrete CMS versiones 9.0.0 a 9.0.2 y 8.5.7, pueden descargar archivos zip a trav\u00e9s de HTTP y ejecutar c\u00f3digo desde esos archivos zip, lo que podr\u00eda conllevar a un RCE. Corregido al aplicar \"concrete_secure\" en lugar de \"concrete\". Concrete ahora s\u00f3lo hace peticiones sobre https incluso si una petici\u00f3n entra por medio de http. El equipo de seguridad de Concrete CMS clasific\u00f3 este 8 con el vector CVSS v3.1: AV:N/AC:H/PR:H/UI:N/S:C/C:H/I:H/A:H El m\u00e9rito es de Anna por informar a HackerOne 1482520"}], "id": "CVE-2022-21829", "lastModified": "2023-11-07T03:43:44.213", "metrics": {"cvssMetricV2": [{"acInsufInfo": false, "baseSeverity": "HIGH", "cvssData": {"accessComplexity": "LOW", "accessVector": "NETWORK", "authentication": "NONE", "availabilityImpact": "PARTIAL", "baseScore": 7.5, "confidentialityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0"}, "exploitabilityScore": 10.0, "impactScore": 6.4, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "source": "nvd@nist.gov", "type": "Primary", "userInteractionRequired": false}], "cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 9.8, "baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 5.9, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2022-06-24T15:15:10.143", "references": [{"source": "support@hackerone.com", "tags": ["Release Notes", "Vendor Advisory"], "url": "https://documentation.concretecms.org/developers/introduction/version-history/858-release-notes"}, {"source": "support@hackerone.com", "url": "https://documentation.concretecms.org/developers/introduction/version-history/910-release-notes%2C"}, {"source": "support@hackerone.com", "url": "https://hackerone.com/reports/1482520%2C"}], "sourceIdentifier": "support@hackerone.com", "vulnStatus": "Modified", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-319"}], "source": "nvd@nist.gov", "type": "Primary"}, {"description": [{"lang": "en", "value": "CWE-319"}], "source": "support@hackerone.com", "type": "Secondary"}]}