CVE-2023-46245 - Vulnerability Details - OpenCVE

Kimai is a web-based multi-user time-tracking application. Versions prior to 2.1.0 are vulnerable to a Server-Side Template Injection (SSTI) which can be escalated to Remote Code Execution (RCE). The vulnerability arises when a malicious user uploads a specially crafted Twig file, exploiting the software's PDF and HTML rendering functionalities. Version 2.1.0 enables security measures for custom Twig templates.

No CVSS v4.0

Attack Vector Network

Attack Complexity Low

Privileges Required High

Scope Unchanged

Confidentiality Impact High

Integrity Impact High

Availability Impact High

User Interaction None

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

The EPSS score is 0.0227.

Key SSVC decision points have not yet been added.

Vendors	Products
Kimai	Kimai

Configuration 1 [-]

cpe:2.3:a:kimai:kimai:*:*:*:*:*:*:*:*

No data.

No data.

Advisories

Source	ID	Title
EUVD	EUVD-2023-2726	Kimai is a web-based multi-user time-tracking application. Versions prior to 2.1.0 are vulnerable to a Server-Side Template Injection (SSTI) which can be escalated to Remote Code Execution (RCE). The vulnerability arises when a malicious user uploads a specially crafted Twig file, exploiting the software's PDF and HTML rendering functionalities. Version 2.1.0 enables security measures for custom Twig templates.
Github GHSA	GHSA-fjhg-96cp-6fcw	Kimai (Authenticated) SSTI to RCE by Uploading a Malicious Twig File

Fixes

Solution

No solution given by the vendor.

Workaround

No workaround given by the vendor.

References

Link	Providers
https://github.com/kimai/kimai/commit/38e37f1c2e91e1acb221ec5c13f11b735bd50ae4
https://github.com/kimai/kimai/security/advisories/GHSA-fjhg-96cp-6fcw

History

No history.

MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published: 2023-10-31T15:06:23.359Z

Updated: 2024-08-02T20:37:40.150Z

Reserved: 2023-10-19T20:34:00.948Z

Link: CVE-2023-46245

Vulnrichment

No data.

NVD

Status : Modified

Published: 2023-10-31T16:15:09.697

Modified: 2024-11-21T08:28:09.447

Link: CVE-2023-46245

Redhat

No data.

OpenCVE Enrichment

No data.

{"dataType": "CVE_RECORD", "dataVersion": "5.1", "cveMetadata": {"cveId": "CVE-2023-46245", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "state": "PUBLISHED", "assignerShortName": "GitHub_M", "dateReserved": "2023-10-19T20:34:00.948Z", "datePublished": "2023-10-31T15:06:23.359Z", "dateUpdated": "2024-08-02T20:37:40.150Z"}, "containers": {"cna": {"title": "Kimai (Authenticated) SSTI to RCE by Uploading a Malicious Twig File", "problemTypes": [{"descriptions": [{"cweId": "CWE-1336", "lang": "en", "description": "CWE-1336: Improper Neutralization of Special Elements Used in a Template Engine", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 7.2, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "HIGH", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H", "version": "3.1"}}], "references": [{"name": "https://github.com/kimai/kimai/security/advisories/GHSA-fjhg-96cp-6fcw", "tags": ["x_refsource_CONFIRM"], "url": "https://github.com/kimai/kimai/security/advisories/GHSA-fjhg-96cp-6fcw"}, {"name": "https://github.com/kimai/kimai/commit/38e37f1c2e91e1acb221ec5c13f11b735bd50ae4", "tags": ["x_refsource_MISC"], "url": "https://github.com/kimai/kimai/commit/38e37f1c2e91e1acb221ec5c13f11b735bd50ae4"}], "affected": [{"vendor": "kimai", "product": "kimai", "versions": [{"version": "< 2.1.0", "status": "affected"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2024-01-12T16:38:46.831Z"}, "descriptions": [{"lang": "en", "value": "Kimai is a web-based multi-user time-tracking application. Versions prior to 2.1.0 are vulnerable to a Server-Side Template Injection (SSTI) which can be escalated to Remote Code Execution (RCE). The vulnerability arises when a malicious user uploads a specially crafted Twig file, exploiting the software's PDF and HTML rendering functionalities. Version 2.1.0 enables security measures for custom Twig templates."}], "source": {"advisory": "GHSA-fjhg-96cp-6fcw", "discovery": "UNKNOWN"}}, "adp": [{"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-02T20:37:40.150Z"}, "title": "CVE Program Container", "references": [{"name": "https://github.com/kimai/kimai/security/advisories/GHSA-fjhg-96cp-6fcw", "tags": ["x_refsource_CONFIRM", "x_transferred"], "url": "https://github.com/kimai/kimai/security/advisories/GHSA-fjhg-96cp-6fcw"}, {"name": "https://github.com/kimai/kimai/commit/38e37f1c2e91e1acb221ec5c13f11b735bd50ae4", "tags": ["x_refsource_MISC", "x_transferred"], "url": "https://github.com/kimai/kimai/commit/38e37f1c2e91e1acb221ec5c13f11b735bd50ae4"}]}]}}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:kimai:kimai:*:*:*:*:*:*:*:*", "matchCriteriaId": "AEB8D3D0-3954-4848-A54C-DF036038125C", "versionEndIncluding": "2.10", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "descriptions": [{"lang": "en", "value": "Kimai is a web-based multi-user time-tracking application. Versions prior to 2.1.0 are vulnerable to a Server-Side Template Injection (SSTI) which can be escalated to Remote Code Execution (RCE). The vulnerability arises when a malicious user uploads a specially crafted Twig file, exploiting the software's PDF and HTML rendering functionalities. Version 2.1.0 enables security measures for custom Twig templates."}, {"lang": "es", "value": "Kimai es una aplicaci\u00f3n de seguimiento del tiempo multiusuario basada en web. Las versiones 2.1.0 y anteriores son vulnerables a una inyecci\u00f3n de plantilla del lado del servidor (SSTI) que puede escalarse a Remote Code Execution (RCE). La vulnerabilidad surge cuando un usuario malintencionado carga un archivo Twig especialmente manipulado, explotando las funcionalidades de representaci\u00f3n de PDF y HTML del software. Al momento de la publicaci\u00f3n, no hay parches ni workarounds disponibles."}], "id": "CVE-2023-46245", "lastModified": "2024-11-21T08:28:09.447", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 7.2, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "HIGH", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 1.2, "impactScore": 5.9, "source": "security-advisories@github.com", "type": "Secondary"}, {"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 7.2, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "HIGH", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 1.2, "impactScore": 5.9, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2023-10-31T16:15:09.697", "references": [{"source": "security-advisories@github.com", "url": "https://github.com/kimai/kimai/commit/38e37f1c2e91e1acb221ec5c13f11b735bd50ae4"}, {"source": "security-advisories@github.com", "tags": ["Exploit", "Vendor Advisory"], "url": "https://github.com/kimai/kimai/security/advisories/GHSA-fjhg-96cp-6fcw"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "url": "https://github.com/kimai/kimai/commit/38e37f1c2e91e1acb221ec5c13f11b735bd50ae4"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Exploit", "Vendor Advisory"], "url": "https://github.com/kimai/kimai/security/advisories/GHSA-fjhg-96cp-6fcw"}], "sourceIdentifier": "security-advisories@github.com", "vulnStatus": "Modified", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-1336"}], "source": "security-advisories@github.com", "type": "Secondary"}, {"description": [{"lang": "en", "value": "NVD-CWE-Other"}], "source": "nvd@nist.gov", "type": "Primary"}]}