Ecosyste.ms: Advisories

An open API service providing security vulnerability metadata for many open source software ecosystems.

Security Advisories: GSA_kwCzR0hTQS13NngyLWpnOGgtcDZtcM4AA5RJ

Path Traversal in TYPO3 File Abstraction Layer Storages

Problem

Configurable storages using the local driver of the File Abstraction Layer (FAL) could be configured to access directories outside of the root directory of the corresponding project. The system setting in BE/lockRootPath was not evaluated by the file abstraction layer component. An administrator-level backend user account is required to exploit this vulnerability.

Solution

Update to TYPO3 versions 8.7.57 ELTS, 9.5.46 ELTS, 10.4.43 ELTS, 11.5.35 LTS, 12.4.11 LTS, 13.0.1 that fix the problem described.

ℹ️ Strong security defaults - Manual actions required

see Important: #102800 changelog

Assuming that a web project is located in the directory /var/www/example.org (the "project root path" for Composer-based projects) and the publicly accessible directory is located at /var/www/example.org/public (the "public root path"), accessing resources via the File Abstraction Layer component is limited to the mentioned directories.

To grant additional access to directories, they must be explicitly configured in the system settings of $GLOBALS['TYPO3_CONF_VARS']['BE']['lockRootPath'] - either using the Install Tool or according to deployment techniques. The existing setting has been extended to support multiple directories configured as an array of strings.

Example:

$GLOBALS['TYPO3_CONF_VARS']['BE']['lockRootPath'] = [
  ‘/var/shared/documents/’,
  ‘/var/shared/images/’,
];

Storages that reference directories not explicitly granted will be marked as "offline" internally - no resources can be used in the website's frontend and backend context.

Credits

Thanks to TYPO3 core & security team members Oliver Hader and Benjamin Franzke who fixed the issue.

References

Permalink: https://github.com/advisories/GHSA-w6x2-jg8h-p6mp
JSON: https://advisories.ecosyste.ms/api/v1/advisories/GSA_kwCzR0hTQS13NngyLWpnOGgtcDZtcM4AA5RJ
Source: GitHub Advisory Database
Origin: Unspecified
Severity: Moderate
Classification: General
Published: 9 months ago
Updated: 9 months ago


CVSS Score: 5.5
CVSS vector: CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:L/A:N

Identifiers: GHSA-w6x2-jg8h-p6mp, CVE-2023-30451
References: Repository: https://github.com/TYPO3/typo3
Blast Radius: 19.7

Affected Packages

packagist:typo3/cms-core
Dependent packages: 3,067
Dependent repositories: 3,856
Downloads: 8,389,906 total
Affected Version Ranges: = 13.0.0, >= 12.0.0, <= 12.4.10, >= 11.0.0, <= 11.5.34, >= 10.0.0, <= 10.4.42, >= 9.0.0, <= 9.5.45, >= 8.0.0, <= 8.7.56
Fixed in: 13.0.1, 12.4.11, 11.5.35, 10.4.43, 9.5.46, 8.7.57
All affected versions: 8.7.7, 8.7.8, 8.7.9, 8.7.10, 8.7.11, 8.7.12, 8.7.13, 8.7.14, 8.7.15, 8.7.16, 8.7.17, 8.7.18, 8.7.19, 8.7.20, 8.7.21, 8.7.22, 8.7.23, 8.7.24, 8.7.25, 8.7.26, 8.7.27, 8.7.28, 8.7.29, 8.7.30, 8.7.31, 8.7.32, 9.0.0, 9.1.0, 9.2.0, 9.2.1, 9.3.0, 9.3.1, 9.3.2, 9.3.3, 9.4.0, 9.5.0, 9.5.1, 9.5.2, 9.5.3, 9.5.4, 9.5.5, 9.5.6, 9.5.7, 9.5.8, 9.5.9, 9.5.10, 9.5.11, 9.5.12, 9.5.13, 9.5.14, 9.5.15, 9.5.16, 9.5.17, 9.5.18, 9.5.19, 9.5.20, 9.5.21, 9.5.22, 9.5.23, 9.5.24, 9.5.25, 9.5.26, 9.5.27, 9.5.28, 9.5.29, 9.5.30, 9.5.31, 10.0.0, 10.1.0, 10.2.0, 10.2.1, 10.2.2, 10.3.0, 10.4.0, 10.4.1, 10.4.2, 10.4.3, 10.4.4, 10.4.5, 10.4.6, 10.4.7, 10.4.8, 10.4.9, 10.4.10, 10.4.11, 10.4.12, 10.4.13, 10.4.14, 10.4.15, 10.4.16, 10.4.17, 10.4.18, 10.4.19, 10.4.20, 10.4.21, 10.4.22, 10.4.23, 10.4.24, 10.4.25, 10.4.26, 10.4.27, 10.4.28, 10.4.29, 10.4.30, 10.4.31, 10.4.32, 10.4.33, 10.4.34, 10.4.35, 10.4.36, 10.4.37, 11.0.0, 11.1.0, 11.1.1, 11.2.0, 11.3.0, 11.3.1, 11.3.2, 11.3.3, 11.4.0, 11.5.0, 11.5.1, 11.5.2, 11.5.3, 11.5.4, 11.5.5, 11.5.6, 11.5.7, 11.5.8, 11.5.9, 11.5.10, 11.5.11, 11.5.12, 11.5.13, 11.5.14, 11.5.15, 11.5.16, 11.5.17, 11.5.18, 11.5.19, 11.5.20, 11.5.21, 11.5.22, 11.5.23, 11.5.24, 11.5.25, 11.5.26, 11.5.27, 11.5.28, 11.5.29, 11.5.30, 11.5.31, 11.5.32, 11.5.33, 11.5.34, 12.0.0, 12.1.0, 12.1.1, 12.1.2, 12.1.3, 12.2.0, 12.3.0, 12.4.0, 12.4.1, 12.4.2, 12.4.3, 12.4.4, 12.4.5, 12.4.6, 12.4.7, 12.4.8, 12.4.9, 12.4.10, 13.0.0
All unaffected versions: 11.5.35, 11.5.36, 11.5.37, 11.5.38, 11.5.39, 11.5.40, 11.5.41, 12.4.11, 12.4.12, 12.4.13, 12.4.14, 12.4.15, 12.4.16, 12.4.17, 12.4.18, 12.4.19, 12.4.20, 12.4.21, 12.4.22, 12.4.23, 13.0.1, 13.1.0, 13.1.1, 13.2.0, 13.2.1, 13.3.0, 13.3.1, 13.4.0, 13.4.1