Vulnerability Details : CVE-2023-34448
Grav is a flat-file content management system. Prior to version 1.7.42, the patch for CVE-2022-2073, a server-side template injection vulnerability in Grav leveraging the default `filter()` function, did not block other built-in functions exposed by Twig's Core Extension that could be used to invoke arbitrary unsafe functions, thereby allowing for remote code execution. A patch in version 1.74.2 overrides the built-in Twig `map()` and `reduce()` filter functions in `system/src/Grav/Common/Twig/Extension/GravExtension.php` to validate the argument passed to the filter in `$arrow`.
Vulnerability category: Input validationExecute code
Products affected by CVE-2023-34448
- cpe:2.3:a:getgrav:grav:*:*:*:*:*:*:*:*
Exploit prediction scoring system (EPSS) score for CVE-2023-34448
1.01%
Probability of exploitation activity in the next 30 days
EPSS Score History
~ 84 %
Percentile, the proportion of vulnerabilities that are scored at or less
CVSS scores for CVE-2023-34448
Base Score | Base Severity | CVSS Vector | Exploitability Score | Impact Score | Score Source | First Seen |
---|---|---|---|---|---|---|
7.2
|
HIGH | CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H |
1.2
|
5.9
|
NIST | |
8.8
|
HIGH | CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H |
2.8
|
5.9
|
GitHub, Inc. |
CWE ids for CVE-2023-34448
-
The product receives input or data, but it does not validate or incorrectly validates that the input has the properties that are required to process the data safely and correctly.Assigned by: security-advisories@github.com (Secondary)
-
The product constructs all or part of a code segment using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the syntax or behavior of the intended code segment.Assigned by: nvd@nist.gov (Primary)
-
The product uses a template engine to insert or process externally-influenced input, but it does not neutralize or incorrectly neutralizes special elements or syntax that can be interpreted as template expressions or other code directives when processed by the engine.Assigned by: security-advisories@github.com (Secondary)
References for CVE-2023-34448
-
https://github.com/twigphp/Twig/blob/v1.44.7/src/Environment.php#L148
Twig/src/Environment.php at v1.44.7 · twigphp/Twig · GitHubVendor Advisory
-
https://github.com/getgrav/grav/commit/8c2c1cb72611a399f13423fc6d0e1d998c03e5c8
better SSTI in |map and |filter · getgrav/grav@8c2c1cb · GitHubPatch;Vendor Advisory
-
https://huntr.dev/bounties/3ef640e6-9e25-4ecb-8ec1-64311d63fe66/
Server Side Template Injection vulnerability found in gravExploit;Patch;Third Party Advisory
-
https://www.github.com/getgrav/grav/commit/9d6a2dba09fd4e56f5cdfb9a399caea355bfeb83
Fixed Twig `|filter()` allowing code execution · getgrav/grav@9d6a2db · GitHubExploit;Mitigation;Vendor Advisory
-
https://github.com/getgrav/grav/security/advisories/GHSA-whr7-m3f8-mpm8
Grav Server-side Template Injection (SSTI) via Twig Default Filters · Advisory · getgrav/grav · GitHubVendor Advisory
Jump to