Vulnerability Details : CVE-2023-34252
Grav is a file-based Web platform. Prior to version 1.7.42, there is a logic flaw in the `GravExtension.filterFilter()` function whereby validation against a denylist of unsafe functions is only performed when the argument passed to filter is a string. However, passing an array as a callable argument allows the validation check to be skipped. Consequently, a low privileged attacker with login access to Grav Admin panel and page creation/update permissions is able to inject malicious templates to obtain remote code execution. The vulnerability can be found in the `GravExtension.filterFilter()` function declared in `/system/src/Grav/Common/Twig/Extension/GravExtension.php`. Version 1.7.42 contains a patch for this issue. End users should also ensure that `twig.undefined_functions` and `twig.undefined_filters` properties in `/path/to/webroot/system/config/system.yaml` configuration file are set to `false` to disallow Twig from treating undefined filters/functions as PHP functions and executing them.
Vulnerability category: Execute code
Products affected by CVE-2023-34252
- cpe:2.3:a:getgrav:grav:*:*:*:*:*:*:*:*
Exploit prediction scoring system (EPSS) score for CVE-2023-34252
0.82%
Probability of exploitation activity in the next 30 days
EPSS Score History
~ 82 %
Percentile, the proportion of vulnerabilities that are scored at or less
CVSS scores for CVE-2023-34252
Base Score | Base Severity | CVSS Vector | Exploitability Score | Impact Score | Score Source | First Seen |
---|---|---|---|---|---|---|
7.2
|
HIGH | CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H |
1.2
|
5.9
|
NIST | |
8.8
|
HIGH | CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H |
2.8
|
5.9
|
GitHub, Inc. |
CWE ids for CVE-2023-34252
-
The product constructs all or part of a code segment using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the syntax or behavior of the intended code segment.Assigned by: nvd@nist.gov (Primary)
-
The product implements a protection mechanism that relies on a list of inputs (or properties of inputs) that are not allowed by policy or otherwise require other action to neutralize before additional processing takes place, but the list is incomplete.Assigned by: security-advisories@github.com (Secondary)
-
The product uses a template engine to insert or process externally-influenced input, but it does not neutralize or incorrectly neutralizes special elements or syntax that can be interpreted as template expressions or other code directives when processed by the engine.Assigned by: security-advisories@github.com (Secondary)
References for CVE-2023-34252
-
https://github.com/getgrav/grav/commit/244758d4383034fe4cd292d41e477177870b65ec
also handle SSTI in reduce twig filter + function · getgrav/grav@244758d · GitHubPatch
-
https://github.com/getgrav/grav/blob/1.7.40/system/src/Grav/Common/Utils.php#L1956-L2074
grav/system/src/Grav/Common/Utils.php at 1.7.40 · getgrav/grav · GitHubIssue Tracking
-
https://github.com/getgrav/grav/security/advisories/GHSA-96xv-rmwj-6p9w
Grav Server-side Template Injection (SSTI) via Insufficient Validation in filterFilter · Advisory · getgrav/grav · GitHubExploit;Vendor Advisory
-
https://github.com/getgrav/grav/blob/1.7.40/system/src/Grav/Common/Twig/Extension/GravExtension.php#L1692-L1698
grav/system/src/Grav/Common/Twig/Extension/GravExtension.php at 1.7.40 · getgrav/grav · GitHubIssue Tracking
Jump to