CVE-2021-22968

Severity Score

7.2

*CVSS v3.1

Exploit Likelihood

*EPSS

Affected Versions

*CPE

Public Exploits

*Multiple Sources

Exploited in Wild

*KEV

Decision

*SSVC

Descriptions

A bypass of adding remote files in Concrete CMS (previously concrete5) File Manager leads to remote code execution in Concrete CMS (concrete5) versions 8.5.6 and below.The external file upload feature stages files in the public directory even if they have disallowed file extensions. They are stored in a directory with a random name, but it's possible to stall the uploads and brute force the directory name. You have to be an admin with the ability to upload files, but this bug gives you the ability to upload restricted file types and execute them depending on server configuration.To fix this, a check for allowed file extensions was added before downloading files to a tmp directory.Concrete CMS Security Team gave this a CVSS v3.1 score of 5.4 AV:N/AC:H/PR:H/UI:R/S:C/C:N/I:H/A:NThis fix is also in Concrete version 9.0.0

Un bypass en la adición de archivos remotos en el Administrador de Archivos de Concrete CMS (anteriormente concrete5) conlleva a una ejecución de código remota en Concrete CMS (concrete5) versiones 8.5.6 y anteriores. La funcionalidad external file upload escenifica archivos en el directorio público incluso si presentan extensiones de archivo no permitidas. Son almacenadas en un directorio con un nombre aleatorio, pero es posible detener las subidas y forzar el nombre del directorio. Debe ser un administrador con la capacidad de subir archivos, pero este bug le da la capacidad de subir los tipos de archivos restringidos y ejecutarlos en función de la configuración del servidor.Para solucionar esto, fue añadida una comprobación de las extensiones de archivo permitidas antes de descargar los archivos a un directorio tmp.Concrete CMS Security Team dio a esto una puntuación CVSS v3.1 de 5,4 AV:N/AC:H/PR:H/UI:R/S:C/C:N/I:H/A:NT Esta corrección también está en Concrete versión 9.0.0

*Credits: N/A

Attack Vector

Network

Attack Complexity

Low

Privileges Required

High

User Interaction

None

Scope

Unchanged

Confidentiality

High

Integrity

High

Availability

High

Attack Vector

Network

Attack Complexity

Low

Authentication

Single

Confidentiality

Partial

Integrity

Partial

Availability

Partial

* Common Vulnerability Scoring System

SSVC

Decision:-

Exploitation

Automatable

Tech. Impact

* Organization's Worst-case Scenario

Timeline

2021-01-06 CVE Reserved
2021-11-19 CVE Published
2024-05-03 EPSS Updated
2024-08-03 CVE Updated
2024-08-03 First Exploit
---------- Exploited in Wild
---------- KEV Due Date

CWE

CWE-98: Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion')
CWE-330: Use of Insufficiently Random Values
CWE-434: Unrestricted Upload of File with Dangerous Type

CAPEC

References (2)

URL	Tag	Source

URL	Date	SRC
https://hackerone.com/reports/1350444	2024-08-03

URL	Date	SRC

URL	Date	SRC
https://documentation.concretecms.org/developers/introduction/version-history/857-release-notes	2023-06-30

Affected Vendors, Products, and Versions

Vendor		Product				Version		Other		Status
Vendor	Product	Version	Other	Status	<-- -->	Vendor	Product	Version	Other	Status
Concretecms Search vendor "Concretecms"		Concrete Cms Search vendor "Concretecms" for product "Concrete Cms"				< 8.5.7 Search vendor "Concretecms" for product "Concrete Cms" and version " < 8.5.7"		-		Affected