Vulnerability Details : CVE-2023-37897
Grav is a file-based Web-platform built in PHP. Grav is subject to a server side template injection (SSTI) vulnerability. The fix for another SSTI vulnerability using `|map`, `|filter` and `|reduce` twigs implemented in the commit `71bbed1` introduces bypass of the denylist due to incorrect return value from `isDangerousFunction()`, which allows to execute the payload prepending double backslash (`\\`). The `isDangerousFunction()` check in version 1.7.42 and onwards retuns `false` value instead of `true` when the `\` symbol is found in the `$name`. This vulnerability can be exploited if the attacker has access to: 1. an Administrator account, or 2. a non-administrator, user account that has Admin panel access and Create/Update page permissions. A fix for this vulnerability has been introduced in commit `b4c6210` and is included in release version `1.7.42.2`. Users are advised to upgrade. There are no known workarounds for this vulnerability.
Products affected by CVE-2023-37897
- cpe:2.3:a:getgrav:grav:1.7.42:*:*:*:*:*:*:*
- cpe:2.3:a:getgrav:grav:1.7.42.1:*:*:*:*:*:*:*
Exploit prediction scoring system (EPSS) score for CVE-2023-37897
0.11%
Probability of exploitation activity in the next 30 days
EPSS Score History
~ 44 %
Percentile, the proportion of vulnerabilities that are scored at or less
CVSS scores for CVE-2023-37897
Base Score | Base Severity | CVSS Vector | Exploitability Score | Impact Score | Score Source | First Seen |
---|---|---|---|---|---|---|
8.8
|
HIGH | CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H |
2.8
|
5.9
|
NIST | |
7.2
|
HIGH | CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H |
1.2
|
5.9
|
GitHub, Inc. |
CWE ids for CVE-2023-37897
-
The product constructs all or part of a command, data structure, or record using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify how it is parsed or interpreted when it is sent to a downstream component.Assigned by: security-advisories@github.com (Primary)
-
A function or operation returns an incorrect return value or status code that does not indicate an error, but causes the product to modify its behavior based on the incorrect result.Assigned by: security-advisories@github.com (Primary)
References for CVE-2023-37897
-
https://github.com/getgrav/grav/commit/71bbed12f950de8335006d7f91112263d8504f1b
more SSTI fixes in Utils::isDangerousFunction() · getgrav/grav@71bbed1 · GitHubProduct
-
https://github.com/getgrav/grav/security/advisories/GHSA-9436-3gmp-4f53
Server-side Template Injection (SSTI) mitigation bypass via incorrect filtering of double backslash · Advisory · getgrav/grav · GitHubExploit;Mitigation;Vendor Advisory
-
https://github.com/getgrav/grav/commit/b4c62101a43051fc7f5349c7d0a5b6085375c1d7
SSTI attack mitigation - GHSA-9436-3gmp-4f53 · getgrav/grav@b4c6210 · GitHubPatch
Jump to