Ecosyste.ms: Advisories

Security Advisories: GSA_kwCzR0hTQS1jOGhqLXcyMzktNWd2Zs4AA3MK

pimcore/admin-ui-classic-bundle Full Path Disclosure via re-export document

Impact

Full Path Disclosure (FPD) vulnerabilities enable the attacker to see the path to the webroot/file. e.g.: /home/omg/htdocs/file/. Certain vulnerabilities, such as using the load_file() (within a SQL Injection) query to view the page source, require the attacker to have the full path to the file they wish to view.

In the case of pimcore, the fopen() function here doesn't have an error handle when the file doesn't exist on the server so the server response raises the full path "fopen(/var/www/html/var/tmp/export-{ uniqe id}.csv)"

Patches

Apply patch https://github.com/pimcore/admin-ui-classic-bundle/commit/10d178ef771097604a256c1192b098af9ec57a87.patch

Workarounds

Update to version 1.2.1 or apply patches manually

References

https://huntr.com/bounties/4af4db18-9fd4-43e9-8bc6-c88aaf76839c/

Permalink: https://github.com/advisories/GHSA-c8hj-w239-5gvf
JSON: https://advisories.ecosyste.ms/api/v1/advisories/GSA_kwCzR0hTQS1jOGhqLXcyMzktNWd2Zs4AA3MK
Source: GitHub Advisory Database
Origin: Unspecified
Severity: Moderate
Classification: General
Published: about 1 year ago
Updated: about 1 year ago

CVSS Score: 5.3
CVSS vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N

EPSS Percentage: 0.00088
EPSS Percentile: 0.38929

Identifiers: GHSA-c8hj-w239-5gvf, CVE-2023-47636
References:

• https://github.com/pimcore/admin-ui-classic-bundle/security/advisories/GHSA-c8hj-w239-5gvf
• https://github.com/pimcore/admin-ui-classic-bundle/commit/10d178ef771097604a256c1192b098af9ec57a87
• https://huntr.com/bounties/4af4db18-9fd4-43e9-8bc6-c88aaf76839c/
• https://nvd.nist.gov/vuln/detail/CVE-2023-47636
• https://github.com/advisories/GHSA-c8hj-w239-5gvf

Repository: https://github.com/pimcore/admin-ui-classic-bundle
Blast Radius: 4.5

Affected Packages