CVE-2024-28119 - Vulnerability Details - OpenCVE

Grav is an open-source, flat-file content management system. Prior to version 1.7.45, due to the unrestricted access to twig extension class from grav context, an attacker can redefine the escape function and execute arbitrary commands. Twig processing of static pages can be enabled in the front matter by any administrative user allowed to create or edit pages. As the Twig processor runs unsandboxed, this behavior can be used to gain arbitrary code execution and elevate privileges on the instance. Version 1.7.45 contains a patch for this issue.

No CVSS v4.0

Attack Vector Network

Attack Complexity Low

Privileges Required Low

Scope Unchanged

Confidentiality Impact High

Integrity Impact High

Availability Impact High

User Interaction None

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

Key SSVC decision points have not yet been added.

Vendors	Products
Getgrav	Grav

Configuration 1 [-]

cpe:2.3:a:getgrav:grav:*:*:*:*:*:*:*:*

No data.

References

Link	Providers
https://github.com/getgrav/grav/commit/de1ccfa12dbcbf526104d68c1a6bc202a98698fe
https://github.com/getgrav/grav/security/advisories/GHSA-2m7x-c7px-hp58
https://github.com/twigphp/Twig/blob/3.x/src/Extension/EscaperExtension.php#L99

History

Thu, 02 Jan 2025 23:30:00 +0000

Type	Values Removed	Values Added
First Time appeared		Getgrav Getgrav grav
CPEs		cpe:2.3:a:getgrav:grav::::::::
Vendors & Products		Getgrav Getgrav grav

MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published: 2024-03-21T22:02:04.145Z

Updated: 2024-08-21T22:55:01.977Z

Reserved: 2024-03-04T14:19:14.060Z

Link: CVE-2024-28119

Vulnrichment

Updated: 2024-08-02T00:48:49.108Z

NVD

Status : Analyzed

Published: 2024-03-21T22:15:12.233

Modified: 2025-01-02T23:00:20.203

Link: CVE-2024-28119

Redhat

No data.

{"dataType": "CVE_RECORD", "dataVersion": "5.1", "cveMetadata": {"cveId": "CVE-2024-28119", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "state": "PUBLISHED", "assignerShortName": "GitHub_M", "dateReserved": "2024-03-04T14:19:14.060Z", "datePublished": "2024-03-21T22:02:04.145Z", "dateUpdated": "2024-08-21T22:55:01.977Z"}, "containers": {"cna": {"title": "Grav vulnerable to Server Side Template Injection (SSTI) via Twig escape handler", "problemTypes": [{"descriptions": [{"cweId": "CWE-94", "lang": "en", "description": "CWE-94: Improper Control of Generation of Code ('Code Injection')", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 8.8, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1"}}], "references": [{"name": "https://github.com/getgrav/grav/security/advisories/GHSA-2m7x-c7px-hp58", "tags": ["x_refsource_CONFIRM"], "url": "https://github.com/getgrav/grav/security/advisories/GHSA-2m7x-c7px-hp58"}, {"name": "https://github.com/getgrav/grav/commit/de1ccfa12dbcbf526104d68c1a6bc202a98698fe", "tags": ["x_refsource_MISC"], "url": "https://github.com/getgrav/grav/commit/de1ccfa12dbcbf526104d68c1a6bc202a98698fe"}, {"name": "https://github.com/twigphp/Twig/blob/3.x/src/Extension/EscaperExtension.php#L99", "tags": ["x_refsource_MISC"], "url": "https://github.com/twigphp/Twig/blob/3.x/src/Extension/EscaperExtension.php#L99"}], "affected": [{"vendor": "getgrav", "product": "grav", "versions": [{"version": "< 1.7.45", "status": "affected"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2024-03-21T22:02:04.145Z"}, "descriptions": [{"lang": "en", "value": "Grav is an open-source, flat-file content management system. Prior to version 1.7.45, due to the unrestricted access to twig extension class from grav context, an attacker can redefine the escape function and execute arbitrary commands. Twig processing of static pages can be enabled in the front matter by any administrative user allowed to create or edit pages. As the Twig processor runs unsandboxed, this behavior can be used to gain arbitrary code execution and elevate privileges on the instance. Version 1.7.45 contains a patch for this issue."}], "source": {"advisory": "GHSA-2m7x-c7px-hp58", "discovery": "UNKNOWN"}}, "adp": [{"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-02T00:48:49.108Z"}, "title": "CVE Program Container", "references": [{"name": "https://github.com/getgrav/grav/security/advisories/GHSA-2m7x-c7px-hp58", "tags": ["x_refsource_CONFIRM", "x_transferred"], "url": "https://github.com/getgrav/grav/security/advisories/GHSA-2m7x-c7px-hp58"}, {"name": "https://github.com/getgrav/grav/commit/de1ccfa12dbcbf526104d68c1a6bc202a98698fe", "tags": ["x_refsource_MISC", "x_transferred"], "url": "https://github.com/getgrav/grav/commit/de1ccfa12dbcbf526104d68c1a6bc202a98698fe"}, {"name": "https://github.com/twigphp/Twig/blob/3.x/src/Extension/EscaperExtension.php#L99", "tags": ["x_refsource_MISC", "x_transferred"], "url": "https://github.com/twigphp/Twig/blob/3.x/src/Extension/EscaperExtension.php#L99"}]}, {"affected": [{"vendor": "getgrav", "product": "grav", "cpes": ["cpe:2.3:a:getgrav:grav:*:*:*:*:*:*:*:*"], "defaultStatus": "unknown", "versions": [{"version": "0", "status": "affected", "lessThan": "1.7.45", "versionType": "custom"}]}], "metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2024-03-28T18:13:10.316112Z", "id": "CVE-2024-28119", "options": [{"Exploitation": "poc"}, {"Automatable": "no"}, {"Technical Impact": "total"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2024-08-21T22:55:01.977Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CVE Program Container", "references": [{"url": "https://github.com/getgrav/grav/security/advisories/GHSA-2m7x-c7px-hp58", "name": "https://github.com/getgrav/grav/security/advisories/GHSA-2m7x-c7px-hp58", "tags": ["x_refsource_CONFIRM", "x_transferred"]}, {"url": "https://github.com/getgrav/grav/commit/de1ccfa12dbcbf526104d68c1a6bc202a98698fe", "name": "https://github.com/getgrav/grav/commit/de1ccfa12dbcbf526104d68c1a6bc202a98698fe", "tags": ["x_refsource_MISC", "x_transferred"]}, {"url": "https://github.com/twigphp/Twig/blob/3.x/src/Extension/EscaperExtension.php#L99", "name": "https://github.com/twigphp/Twig/blob/3.x/src/Extension/EscaperExtension.php#L99", "tags": ["x_refsource_MISC", "x_transferred"]}], "providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-02T00:48:49.108Z"}}, {"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2024-28119", "role": "CISA Coordinator", "options": [{"Exploitation": "poc"}, {"Automatable": "no"}, {"Technical Impact": "total"}], "version": "2.0.3", "timestamp": "2024-03-28T18:13:10.316112Z"}}}], "affected": [{"cpes": ["cpe:2.3:a:getgrav:grav:*:*:*:*:*:*:*:*"], "vendor": "getgrav", "product": "grav", "versions": [{"status": "affected", "version": "0", "lessThan": "1.7.45", "versionType": "custom"}], "defaultStatus": "unknown"}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2024-08-21T22:54:56.849Z"}}], "cna": {"title": "Grav vulnerable to Server Side Template Injection (SSTI) via Twig escape handler", "source": {"advisory": "GHSA-2m7x-c7px-hp58", "discovery": "UNKNOWN"}, "metrics": [{"cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 8.8, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "LOW", "confidentialityImpact": "HIGH"}}], "affected": [{"vendor": "getgrav", "product": "grav", "versions": [{"status": "affected", "version": "< 1.7.45"}]}], "references": [{"url": "https://github.com/getgrav/grav/security/advisories/GHSA-2m7x-c7px-hp58", "name": "https://github.com/getgrav/grav/security/advisories/GHSA-2m7x-c7px-hp58", "tags": ["x_refsource_CONFIRM"]}, {"url": "https://github.com/getgrav/grav/commit/de1ccfa12dbcbf526104d68c1a6bc202a98698fe", "name": "https://github.com/getgrav/grav/commit/de1ccfa12dbcbf526104d68c1a6bc202a98698fe", "tags": ["x_refsource_MISC"]}, {"url": "https://github.com/twigphp/Twig/blob/3.x/src/Extension/EscaperExtension.php#L99", "name": "https://github.com/twigphp/Twig/blob/3.x/src/Extension/EscaperExtension.php#L99", "tags": ["x_refsource_MISC"]}], "descriptions": [{"lang": "en", "value": "Grav is an open-source, flat-file content management system. Prior to version 1.7.45, due to the unrestricted access to twig extension class from grav context, an attacker can redefine the escape function and execute arbitrary commands. Twig processing of static pages can be enabled in the front matter by any administrative user allowed to create or edit pages. As the Twig processor runs unsandboxed, this behavior can be used to gain arbitrary code execution and elevate privileges on the instance. Version 1.7.45 contains a patch for this issue."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-94", "description": "CWE-94: Improper Control of Generation of Code ('Code Injection')"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2024-03-21T22:02:04.145Z"}}}, "cveMetadata": {"cveId": "CVE-2024-28119", "state": "PUBLISHED", "dateUpdated": "2024-08-21T22:55:01.977Z", "dateReserved": "2024-03-04T14:19:14.060Z", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "datePublished": "2024-03-21T22:02:04.145Z", "assignerShortName": "GitHub_M"}, "dataVersion": "5.1"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:getgrav:grav:*:*:*:*:*:*:*:*", "matchCriteriaId": "C9B96288-8090-4AF9-91EF-CBFCEB60039C", "versionEndExcluding": "1.7.45", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "Grav is an open-source, flat-file content management system. Prior to version 1.7.45, due to the unrestricted access to twig extension class from grav context, an attacker can redefine the escape function and execute arbitrary commands. Twig processing of static pages can be enabled in the front matter by any administrative user allowed to create or edit pages. As the Twig processor runs unsandboxed, this behavior can be used to gain arbitrary code execution and elevate privileges on the instance. Version 1.7.45 contains a patch for this issue."}, {"lang": "es", "value": "Grav es un sistema de gesti\u00f3n de contenidos de archivos planos de c\u00f3digo abierto. Antes de la versi\u00f3n 1.7.45, debido al acceso sin restricciones a la clase de extensi\u00f3n twig desde el contexto grav, un atacante pod\u00eda redefinir la funci\u00f3n de escape y ejecutar comandos arbitrarios. El procesamiento Twig de p\u00e1ginas est\u00e1ticas puede ser habilitado en la portada por cualquier usuario administrativo autorizado a crear o editar p\u00e1ginas. Como el procesador Twig se ejecuta sin entorno de pruebas, este comportamiento se puede utilizar para obtener la ejecuci\u00f3n de c\u00f3digo arbitrario y elevar los privilegios en la instancia. La versi\u00f3n 1.7.45 contiene un parche para este problema."}], "id": "CVE-2024-28119", "lastModified": "2025-01-02T23:00:20.203", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 8.8, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 5.9, "source": "security-advisories@github.com", "type": "Secondary"}, {"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 8.8, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 5.9, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2024-03-21T22:15:12.233", "references": [{"source": "security-advisories@github.com", "tags": ["Patch"], "url": "https://github.com/getgrav/grav/commit/de1ccfa12dbcbf526104d68c1a6bc202a98698fe"}, {"source": "security-advisories@github.com", "tags": ["Exploit", "Vendor Advisory"], "url": "https://github.com/getgrav/grav/security/advisories/GHSA-2m7x-c7px-hp58"}, {"source": "security-advisories@github.com", "tags": ["Product"], "url": "https://github.com/twigphp/Twig/blob/3.x/src/Extension/EscaperExtension.php#L99"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Patch"], "url": "https://github.com/getgrav/grav/commit/de1ccfa12dbcbf526104d68c1a6bc202a98698fe"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Exploit", "Vendor Advisory"], "url": "https://github.com/getgrav/grav/security/advisories/GHSA-2m7x-c7px-hp58"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Product"], "url": "https://github.com/twigphp/Twig/blob/3.x/src/Extension/EscaperExtension.php#L99"}], "sourceIdentifier": "security-advisories@github.com", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-94"}], "source": "security-advisories@github.com", "type": "Secondary"}, {"description": [{"lang": "en", "value": "CWE-94"}], "source": "nvd@nist.gov", "type": "Primary"}]}