Ecosyste.ms: Advisories
An open API service providing security vulnerability metadata for many open source software ecosystems.
Security Advisories: GSA_kwCzR0hTQS1wN2Y2LThtY20tZnd2M84ABBfv
Statamic CMS has a Path Traversal in Asset Upload
Assets uploaded with appropriately crafted filenames may result in them being placed in a location different than what was configured.
Impact
- Affects front-end forms with
assets
fields. - Affects other places where assets can be uploaded, although users would need upload permissions anyway.
- Files can be uploaded so they would be located on the server in a different location, and potentially override existing files.
- Traversal outside an asset container was not possible.
Patches
This has been fixed in 5.17.0.
Permalink: https://github.com/advisories/GHSA-p7f6-8mcm-fwv3JSON: https://advisories.ecosyste.ms/api/v1/advisories/GSA_kwCzR0hTQS1wN2Y2LThtY20tZnd2M84ABBfv
Source: GitHub Advisory Database
Origin: Unspecified
Severity: Moderate
Classification: General
Published: 22 days ago
Updated: 21 days ago
CVSS Score: 5.3
CVSS vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N
EPSS Percentage: 0.00045
EPSS Percentile: 0.17556
Identifiers: GHSA-p7f6-8mcm-fwv3, CVE-2024-52600
References:
- https://github.com/statamic/cms/security/advisories/GHSA-p7f6-8mcm-fwv3
- https://github.com/statamic/cms/commit/0c07c10009a2439c8ee56c8faefd1319dc6e388d
- https://github.com/statamic/cms/commit/400875b20f40e1343699d536a432a6fc284346da
- https://github.com/statamic/cms/commit/4cc2c9bd0f39a93b3fc7e9ef0f12792576fd380d
- https://nvd.nist.gov/vuln/detail/CVE-2024-52600
- https://github.com/advisories/GHSA-p7f6-8mcm-fwv3
Blast Radius: 13.7
Affected Packages
packagist:statamic/cms
Dependent packages: 377Dependent repositories: 388
Downloads: 1,888,960 total
Affected Version Ranges: <= 5.16.0
Fixed in: 5.17.0
All affected versions: 3.0.0, 3.0.1, 3.0.2, 3.0.3, 3.0.4, 3.0.5, 3.0.6, 3.0.7, 3.0.8, 3.0.9, 3.0.10, 3.0.11, 3.0.12, 3.0.13, 3.0.14, 3.0.15, 3.0.16, 3.0.17, 3.0.18, 3.0.19, 3.0.20, 3.0.21, 3.0.22, 3.0.23, 3.0.24, 3.0.25, 3.0.26, 3.0.27, 3.0.28, 3.0.29, 3.0.30, 3.0.31, 3.0.32, 3.0.33, 3.0.34, 3.0.35, 3.0.36, 3.0.37, 3.0.38, 3.0.39, 3.0.40, 3.0.41, 3.0.42, 3.0.43, 3.0.44, 3.0.45, 3.0.46, 3.0.47, 3.0.48, 3.0.49, 3.1.0, 3.1.1, 3.1.2, 3.1.3, 3.1.4, 3.1.5, 3.1.6, 3.1.7, 3.1.8, 3.1.9, 3.1.10, 3.1.11, 3.1.12, 3.1.13, 3.1.14, 3.1.15, 3.1.16, 3.1.17, 3.1.18, 3.1.19, 3.1.20, 3.1.21, 3.1.22, 3.1.23, 3.1.24, 3.1.25, 3.1.26, 3.1.27, 3.1.28, 3.1.29, 3.1.30, 3.1.31, 3.1.32, 3.1.33, 3.1.34, 3.1.35, 3.2.0, 3.2.1, 3.2.2, 3.2.3, 3.2.4, 3.2.5, 3.2.6, 3.2.7, 3.2.8, 3.2.9, 3.2.10, 3.2.11, 3.2.12, 3.2.13, 3.2.14, 3.2.15, 3.2.16, 3.2.17, 3.2.18, 3.2.19, 3.2.20, 3.2.21, 3.2.22, 3.2.23, 3.2.24, 3.2.25, 3.2.26, 3.2.27, 3.2.28, 3.2.29, 3.2.30, 3.2.31, 3.2.32, 3.2.33, 3.2.34, 3.2.35, 3.2.36, 3.2.37, 3.2.38, 3.2.39, 3.3.0, 3.3.1, 3.3.2, 3.3.3, 3.3.4, 3.3.5, 3.3.6, 3.3.7, 3.3.8, 3.3.9, 3.3.10, 3.3.11, 3.3.12, 3.3.13, 3.3.14, 3.3.15, 3.3.16, 3.3.17, 3.3.18, 3.3.19, 3.3.20, 3.3.21, 3.3.22, 3.3.23, 3.3.24, 3.3.25, 3.3.26, 3.3.27, 3.3.28, 3.3.29, 3.3.30, 3.3.31, 3.3.32, 3.3.33, 3.3.34, 3.3.35, 3.3.36, 3.3.37, 3.3.38, 3.3.39, 3.3.40, 3.3.41, 3.3.42, 3.3.43, 3.3.44, 3.3.45, 3.3.46, 3.3.47, 3.3.48, 3.3.49, 3.3.50, 3.3.51, 3.3.52, 3.3.53, 3.3.54, 3.3.55, 3.3.56, 3.3.57, 3.3.58, 3.3.59, 3.3.60, 3.3.61, 3.3.62, 3.3.63, 3.3.64, 3.3.65, 3.3.66, 3.3.67, 3.3.68, 3.4.0, 3.4.1, 3.4.2, 3.4.3, 3.4.4, 3.4.5, 3.4.6, 3.4.7, 3.4.8, 3.4.9, 3.4.10, 3.4.11, 3.4.12, 3.4.13, 3.4.14, 3.4.15, 3.4.16, 3.4.17, 4.0.0, 4.1.0, 4.1.1, 4.1.2, 4.1.3, 4.2.0, 4.3.0, 4.4.0, 4.5.0, 4.6.0, 4.7.0, 4.8.0, 4.9.0, 4.9.1, 4.9.2, 4.10.0, 4.10.1, 4.10.2, 4.11.0, 4.12.0, 4.13.0, 4.13.1, 4.13.2, 4.14.0, 4.15.0, 4.16.0, 4.17.0, 4.18.0, 4.19.0, 4.20.0, 4.21.0, 4.22.0, 4.23.0, 4.23.1, 4.23.2, 4.24.0, 4.25.0, 4.26.0, 4.26.1, 4.27.0, 4.28.0, 4.29.0, 4.30.0, 4.31.0, 4.32.0, 4.33.0, 4.34.0, 4.35.0, 4.36.0, 4.37.0, 4.38.0, 4.39.0, 4.40.0, 4.41.0, 4.42.0, 4.42.1, 4.43.0, 4.44.0, 4.45.0, 4.46.0, 4.47.0, 4.48.0, 4.49.0, 4.50.0, 4.51.0, 4.52.0, 4.53.0, 4.53.1, 4.53.2, 4.54.0, 4.55.0, 4.56.0, 4.56.1, 4.57.0, 4.57.1, 4.57.2, 4.57.3, 4.58.0, 4.58.1, 4.58.2, 4.58.3, 5.0.0, 5.0.1, 5.0.2, 5.1.0, 5.2.0, 5.3.0, 5.4.0, 5.5.0, 5.6.0, 5.6.1, 5.6.2, 5.7.0, 5.7.1, 5.7.2, 5.7.3, 5.8.0, 5.9.0, 5.10.0, 5.11.0, 5.12.0, 5.13.0, 5.14.0, 5.15.0, 5.16.0
All unaffected versions: 5.17.0, 5.17.1, 5.18.0, 5.19.0, 5.20.0, 5.21.0, 5.22.0, 5.22.1, 5.23.0, 5.24.0, 5.25.0, 5.26.0, 5.27.0, 5.28.0, 5.29.0, 5.30.0, 5.31.0, 5.32.0, 5.33.0, 5.33.1, 5.34.0, 5.35.0, 5.36.0, 5.37.0, 5.38.0, 5.38.1, 5.39.0, 5.40.0, 5.41.0