Ecosyste.ms: Advisories

An open API service providing security vulnerability metadata for many open source software ecosystems.

Security Advisories: GSA_kwCzR0hTQS1jOGhqLXcyMzktNWd2Zs4AA3MK

pimcore/admin-ui-classic-bundle Full Path Disclosure via re-export document

Impact

Full Path Disclosure (FPD) vulnerabilities enable the attacker to see the path to the webroot/file. e.g.: /home/omg/htdocs/file/. Certain vulnerabilities, such as using the load_file() (within a SQL Injection) query to view the page source, require the attacker to have the full path to the file they wish to view.

In the case of pimcore, the fopen() function here doesn't have an error handle when the file doesn't exist on the server so the server response raises the full path "fopen(/var/www/html/var/tmp/export-{ uniqe id}.csv)"

Patches

Apply patch https://github.com/pimcore/admin-ui-classic-bundle/commit/10d178ef771097604a256c1192b098af9ec57a87.patch

Workarounds

Update to version 1.2.1 or apply patches manually

References

https://huntr.com/bounties/4af4db18-9fd4-43e9-8bc6-c88aaf76839c/

Permalink: https://github.com/advisories/GHSA-c8hj-w239-5gvf
JSON: https://advisories.ecosyste.ms/api/v1/advisories/GSA_kwCzR0hTQS1jOGhqLXcyMzktNWd2Zs4AA3MK
Source: GitHub Advisory Database
Origin: Unspecified
Severity: Moderate
Classification: General
Published: 6 months ago
Updated: 6 months ago

CVSS Score: 5.3
CVSS vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N

Identifiers: GHSA-c8hj-w239-5gvf, CVE-2023-47636
References:

Repository: https://github.com/pimcore/admin-ui-classic-bundle
Blast Radius: 4.5

Affected Packages

packagist:pimcore/admin-ui-classic-bundle

Dependent packages: 21
Dependent repositories: 7
Downloads: 262,242 total
Affected Version Ranges: < 1.2.1
Fixed in: 1.2.1
All affected versions: 1.0.0, 1.0.1, 1.0.2, 1.0.3, 1.0.4, 1.0.5, 1.0.6, 1.1.0, 1.1.1, 1.1.2, 1.1.3, 1.1.4
All unaffected versions: 1.2.1, 1.2.2, 1.2.3, 1.3.0, 1.3.1, 1.3.2, 1.3.3, 1.3.4, 1.3.5, 1.4.0