CVE-2023-34448 – Grav Server-side Template Injection (SSTI) via Twig Default Filters
https://notcve.org/view.php?id=CVE-2023-34448
Grav is a flat-file content management system. Prior to version 1.7.42, the patch for CVE-2022-2073, a server-side template injection vulnerability in Grav leveraging the default `filter()` function, did not block other built-in functions exposed by Twig's Core Extension that could be used to invoke arbitrary unsafe functions, thereby allowing for remote code execution. A patch in version 1.74.2 overrides the built-in Twig `map()` and `reduce()` filter functions in `system/src/Grav/Common/Twig/Extension/GravExtension.php` to validate the argument passed to the filter in `$arrow`. Grav es un sistema de gestión de contenidos de archivos planos. Antes de la versión 1.7.42, el parche para CVE-2022-2073, una vulnerabilidad de inyección de plantillas del lado del servidor en Gray aprovechando la función predeterminada "filter()", no bloqueaba otras funciones integradas expuestas por la extensión principal de Twig que podían utilizarse para invocar funciones no seguras arbitrarias, permitiendo así la ejecución remota de código. • https://github.com/getgrav/grav/commit/8c2c1cb72611a399f13423fc6d0e1d998c03e5c8 https://github.com/getgrav/grav/security/advisories/GHSA-whr7-m3f8-mpm8 https://github.com/twigphp/Twig/blob/v1.44.7/src/Environment.php#L148 https://huntr.dev/bounties/3ef640e6-9e25-4ecb-8ec1-64311d63fe66 https://www.github.com/getgrav/grav/commit/9d6a2dba09fd4e56f5cdfb9a399caea355bfeb83 • CWE-20: Improper Input Validation CWE-94: Improper Control of Generation of Code ('Code Injection') CWE-1336: Improper Neutralization of Special Elements Used in a Template Engine •
CVE-2023-34253 – Grav vulnerable to Server-side Template Injection (SSTI) via Denylist Bypass
https://notcve.org/view.php?id=CVE-2023-34253
Grav is a flat-file content management system. Prior to version 1.7.42, the denylist introduced in commit 9d6a2d to prevent dangerous functions from being executed via injection of malicious templates was insufficient and could be easily subverted in multiple ways -- (1) using unsafe functions that are not banned, (2) using capitalised callable names, and (3) using fully-qualified names for referencing callables. Consequently, a low privileged attacker with login access to Grav Admin panel and page creation/update permissions is able to inject malicious templates to obtain remote code execution. A patch in version 1.7.42 improves the denylist. • https://github.com/getgrav/grav/blob/1.7.40/system/src/Grav/Common/Utils.php#L1952-L2190 https://github.com/getgrav/grav/commit/71bbed12f950de8335006d7f91112263d8504f1b https://github.com/getgrav/grav/security/advisories/GHSA-j3v8-v77f-fvgm https://huntr.dev/bounties/3ef640e6-9e25-4ecb-8ec1-64311d63fe66 https://www.github.com/getgrav/grav/commit/9d6a2dba09fd4e56f5cdfb9a399caea355bfeb83 • CWE-94: Improper Control of Generation of Code ('Code Injection') CWE-184: Incomplete List of Disallowed Inputs CWE-1336: Improper Neutralization of Special Elements Used in a Template Engine •
CVE-2023-34252 – Grav Server-side Template Injection via Insufficient Validation in filterFilter
https://notcve.org/view.php?id=CVE-2023-34252
Grav is a flat-file content management system. Prior to version 1.7.42, there is a logic flaw in the `GravExtension.filterFilter()` function whereby validation against a denylist of unsafe functions is only performed when the argument passed to filter is a string. However, passing an array as a callable argument allows the validation check to be skipped. Consequently, a low privileged attacker with login access to Grav Admin panel and page creation/update permissions is able to inject malicious templates to obtain remote code execution. The vulnerability can be found in the `GravExtension.filterFilter()` function declared in `/system/src/Grav/Common/Twig/Extension/GravExtension.php`. • https://github.com/getgrav/grav/blob/1.7.40/system/src/Grav/Common/Twig/Extension/GravExtension.php#L1692-L1698 https://github.com/getgrav/grav/blob/1.7.40/system/src/Grav/Common/Utils.php#L1956-L2074 https://github.com/getgrav/grav/commit/244758d4383034fe4cd292d41e477177870b65ec https://github.com/getgrav/grav/security/advisories/GHSA-96xv-rmwj-6p9w • CWE-94: Improper Control of Generation of Code ('Code Injection') CWE-184: Incomplete List of Disallowed Inputs CWE-1336: Improper Neutralization of Special Elements Used in a Template Engine •
CVE-2023-34251 – Grav Server Side Template Injection vulnerability
https://notcve.org/view.php?id=CVE-2023-34251
Grav is a flat-file content management system. Versions prior to 1.7.42 are vulnerable to server side template injection. Remote code execution is possible by embedding malicious PHP code on the administrator screen by a user with page editing privileges. Version 1.7.42 contains a fix for this issue. • https://github.com/getgrav/grav/blob/develop/system/src/Grav/Common/Twig/Extension/GravExtension.php#L174 https://github.com/getgrav/grav/commit/9d01140a63c77075ef09b26ef57cf186138151a5 https://github.com/getgrav/grav/security/advisories/GHSA-f9jf-4cp4-4fq5 • CWE-94: Improper Control of Generation of Code ('Code Injection') •
CVE-2022-2073 – Code Injection in getgrav/grav
https://notcve.org/view.php?id=CVE-2022-2073
Code Injection in GitHub repository getgrav/grav prior to 1.7.34. Una Inyección de Código en el repositorio GitHub getgrav/grav versiones anteriores a 1.7.34 • https://github.com/getgrav/grav/commit/9d6a2dba09fd4e56f5cdfb9a399caea355bfeb83 https://huntr.dev/bounties/3ef640e6-9e25-4ecb-8ec1-64311d63fe66 • CWE-94: Improper Control of Generation of Code ('Code Injection') •