CVE-2023-34448 - OpenCVE

Grav is a flat-file content management system. Prior to version 1.7.42, the patch for CVE-2022-2073, a server-side template injection vulnerability in Grav leveraging the default `filter()` function, did not block other built-in functions exposed by Twig's Core Extension that could be used to invoke arbitrary unsafe functions, thereby allowing for remote code execution. A patch in version 1.74.2 overrides the built-in Twig `map()` and `reduce()` filter functions in `system/src/Grav/Common/Twig/Extension/GravExtension.php` to validate the argument passed to the filter in `$arrow`.

No CVSS v4.0

Attack Vector Network

Attack Complexity Low

Privileges Required Low

Scope Unchanged

Confidentiality Impact High

Integrity Impact High

Availability Impact High

User Interaction None

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

Key SSVC decision points have not yet been added.

Vendors	Products
Getgrav	Grav

Configuration 1 [-]

cpe:2.3:a:getgrav:grav:*:*:*:*:*:*:*:*

No data.

References

Link	Providers
https://github.com/getgrav/grav/commit/8c2c1cb72611a399f13423fc6d0e1d998c03e5c8
https://github.com/getgrav/grav/security/advisories/GHSA-whr7-m3f8-mpm8
https://github.com/twigphp/Twig/blob/v1.44.7/src/Environment.php#L148
https://huntr.dev/bounties/3ef640e6-9e25-4ecb-8ec1-64311d63fe66/
https://www.github.com/getgrav/grav/commit/9d6a2dba09fd4e56f5cdfb9a399caea355bfeb83

History

No history.

MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published: 2023-06-14T22:06:01.338Z

Updated: 2024-08-02T16:10:06.973Z

Reserved: 2023-06-06T16:16:53.558Z

Link: CVE-2023-34448

Vulnrichment

No data.

NVD

Status : Analyzed

Published: 2023-06-14T23:15:11.107

Modified: 2023-06-22T16:31:47.377

Link: CVE-2023-34448

Redhat

No data.

{"dataType": "CVE_RECORD", "dataVersion": "5.1", "cveMetadata": {"cveId": "CVE-2023-34448", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "state": "PUBLISHED", "assignerShortName": "GitHub_M", "dateReserved": "2023-06-06T16:16:53.558Z", "datePublished": "2023-06-14T22:06:01.338Z", "dateUpdated": "2024-08-02T16:10:06.973Z"}, "containers": {"cna": {"title": "Grav Server-side Template Injection (SSTI) via Twig Default Filters", "problemTypes": [{"descriptions": [{"cweId": "CWE-20", "lang": "en", "description": "CWE-20: Improper Input Validation", "type": "CWE"}]}, {"descriptions": [{"cweId": "CWE-1336", "lang": "en", "description": "CWE-1336: Improper Neutralization of Special Elements Used in a Template Engine", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 8.8, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1"}}], "references": [{"name": "https://github.com/getgrav/grav/security/advisories/GHSA-whr7-m3f8-mpm8", "tags": ["x_refsource_CONFIRM"], "url": "https://github.com/getgrav/grav/security/advisories/GHSA-whr7-m3f8-mpm8"}, {"name": "https://github.com/getgrav/grav/commit/8c2c1cb72611a399f13423fc6d0e1d998c03e5c8", "tags": ["x_refsource_MISC"], "url": "https://github.com/getgrav/grav/commit/8c2c1cb72611a399f13423fc6d0e1d998c03e5c8"}, {"name": "https://github.com/twigphp/Twig/blob/v1.44.7/src/Environment.php#L148", "tags": ["x_refsource_MISC"], "url": "https://github.com/twigphp/Twig/blob/v1.44.7/src/Environment.php#L148"}, {"name": "https://huntr.dev/bounties/3ef640e6-9e25-4ecb-8ec1-64311d63fe66/", "tags": ["x_refsource_MISC"], "url": "https://huntr.dev/bounties/3ef640e6-9e25-4ecb-8ec1-64311d63fe66/"}, {"name": "https://www.github.com/getgrav/grav/commit/9d6a2dba09fd4e56f5cdfb9a399caea355bfeb83", "tags": ["x_refsource_MISC"], "url": "https://www.github.com/getgrav/grav/commit/9d6a2dba09fd4e56f5cdfb9a399caea355bfeb83"}], "affected": [{"vendor": "getgrav", "product": "grav", "versions": [{"version": "< 1.7.42", "status": "affected"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2023-06-14T22:16:40.551Z"}, "descriptions": [{"lang": "en", "value": "Grav is a flat-file content management system. Prior to version 1.7.42, the patch for CVE-2022-2073, a server-side template injection vulnerability in Grav leveraging the default `filter()` function, did not block other built-in functions exposed by Twig's Core Extension that could be used to invoke arbitrary unsafe functions, thereby allowing for remote code execution. A patch in version 1.74.2 overrides the built-in Twig `map()` and `reduce()` filter functions in `system/src/Grav/Common/Twig/Extension/GravExtension.php` to validate the argument passed to the filter in `$arrow`."}], "source": {"advisory": "GHSA-whr7-m3f8-mpm8", "discovery": "UNKNOWN"}}, "adp": [{"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-02T16:10:06.973Z"}, "title": "CVE Program Container", "references": [{"name": "https://github.com/getgrav/grav/security/advisories/GHSA-whr7-m3f8-mpm8", "tags": ["x_refsource_CONFIRM", "x_transferred"], "url": "https://github.com/getgrav/grav/security/advisories/GHSA-whr7-m3f8-mpm8"}, {"name": "https://github.com/getgrav/grav/commit/8c2c1cb72611a399f13423fc6d0e1d998c03e5c8", "tags": ["x_refsource_MISC", "x_transferred"], "url": "https://github.com/getgrav/grav/commit/8c2c1cb72611a399f13423fc6d0e1d998c03e5c8"}, {"name": "https://github.com/twigphp/Twig/blob/v1.44.7/src/Environment.php#L148", "tags": ["x_refsource_MISC", "x_transferred"], "url": "https://github.com/twigphp/Twig/blob/v1.44.7/src/Environment.php#L148"}, {"name": "https://huntr.dev/bounties/3ef640e6-9e25-4ecb-8ec1-64311d63fe66/", "tags": ["x_refsource_MISC", "x_transferred"], "url": "https://huntr.dev/bounties/3ef640e6-9e25-4ecb-8ec1-64311d63fe66/"}, {"name": "https://www.github.com/getgrav/grav/commit/9d6a2dba09fd4e56f5cdfb9a399caea355bfeb83", "tags": ["x_refsource_MISC", "x_transferred"], "url": "https://www.github.com/getgrav/grav/commit/9d6a2dba09fd4e56f5cdfb9a399caea355bfeb83"}]}]}}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:getgrav:grav:*:*:*:*:*:*:*:*", "matchCriteriaId": "758F84B9-A2EC-45D8-86DD-B309DB02B9AE", "versionEndExcluding": "1.7.42", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "Grav is a flat-file content management system. Prior to version 1.7.42, the patch for CVE-2022-2073, a server-side template injection vulnerability in Grav leveraging the default `filter()` function, did not block other built-in functions exposed by Twig's Core Extension that could be used to invoke arbitrary unsafe functions, thereby allowing for remote code execution. A patch in version 1.74.2 overrides the built-in Twig `map()` and `reduce()` filter functions in `system/src/Grav/Common/Twig/Extension/GravExtension.php` to validate the argument passed to the filter in `$arrow`."}, {"lang": "es", "value": "Grav es un sistema de gesti\u00f3n de contenidos de archivos planos. Antes de la versi\u00f3n 1.7.42, el parche para CVE-2022-2073, una vulnerabilidad de inyecci\u00f3n de plantillas del lado del servidor en Gray aprovechando la funci\u00f3n predeterminada \"filter()\", no bloqueaba otras funciones integradas expuestas por la extensi\u00f3n principal de Twig que pod\u00edan utilizarse para invocar funciones no seguras arbitrarias, permitiendo as\u00ed la ejecuci\u00f3n remota de c\u00f3digo. Un parche en la versi\u00f3n 1.74.2 anula las funciones de filtro incorporadas de Twig \"map()\" y \"reduce()\" en \"system/src/Grav/Common/Twig/Extension/GravExtension.php\" para validar el argumento pasado al filtro en \"$arrow\". "}], "id": "CVE-2023-34448", "lastModified": "2023-06-22T16:31:47.377", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 7.2, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "HIGH", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 1.2, "impactScore": 5.9, "source": "nvd@nist.gov", "type": "Primary"}, {"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 8.8, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 5.9, "source": "security-advisories@github.com", "type": "Secondary"}]}, "published": "2023-06-14T23:15:11.107", "references": [{"source": "security-advisories@github.com", "tags": ["Patch", "Vendor Advisory"], "url": "https://github.com/getgrav/grav/commit/8c2c1cb72611a399f13423fc6d0e1d998c03e5c8"}, {"source": "security-advisories@github.com", "tags": ["Vendor Advisory"], "url": "https://github.com/getgrav/grav/security/advisories/GHSA-whr7-m3f8-mpm8"}, {"source": "security-advisories@github.com", "tags": ["Vendor Advisory"], "url": "https://github.com/twigphp/Twig/blob/v1.44.7/src/Environment.php#L148"}, {"source": "security-advisories@github.com", "tags": ["Exploit", "Patch", "Third Party Advisory"], "url": "https://huntr.dev/bounties/3ef640e6-9e25-4ecb-8ec1-64311d63fe66/"}, {"source": "security-advisories@github.com", "tags": ["Exploit", "Mitigation", "Vendor Advisory"], "url": "https://www.github.com/getgrav/grav/commit/9d6a2dba09fd4e56f5cdfb9a399caea355bfeb83"}], "sourceIdentifier": "security-advisories@github.com", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-94"}], "source": "nvd@nist.gov", "type": "Primary"}, {"description": [{"lang": "en", "value": "CWE-1336"}, {"lang": "en", "value": "CWE-20"}], "source": "security-advisories@github.com", "type": "Secondary"}]}