CVE-2022-24800

Race Condition in October CMS upload process

Severity Score

8.1

*CVSS v3.1

Exploit Likelihood

*EPSS

Affected Versions

*CPE

Public Exploits

*Multiple Sources

Exploited in Wild

*KEV

Decision

*SSVC

Descriptions

October/System is the system module for October CMS, a self-hosted CMS platform based on the Laravel PHP Framework. Prior to versions 1.0.476, 1.1.12, and 2.2.15, when the developer allows the user to specify their own filename in the `fromData` method, an unauthenticated user can perform remote code execution (RCE) by exploiting a race condition in the temporary storage directory. This vulnerability affects plugins that expose the `October\Rain\Database\Attach\File::fromData` as a public interface and does not affect vanilla installations of October CMS since this method is not exposed or used by the system internally or externally. The issue has been patched in Build 476 (v1.0.476), v1.1.12, and v2.2.15. Those who are unable to upgrade may apply with patch to their installation manually as a workaround.

October/System es el módulo de sistema para October CMS, una plataforma CMS auto-alojada basada en el framework PHP Laravel. En versiones anteriores a 1.0.476, 1.1.12 y 2.2.15, cuando el desarrollador permite al usuario especificar su propio nombre de archivo en el método "fromData", un usuario no autenticado puede llevar a cabo una ejecución de código remota (RCE) al explotar una condición de carrera en el directorio de almacenamiento temporal. Esta vulnerabilidad afecta a plugins que exponen el método "October\Rain\Database\Attach\File::fromData" como una interfaz pública y no afecta a las instalaciones vainilla de October CMS, ya que este método no está expuesto ni es usado por el sistema interna o externamente. El problema ha sido parcheado en la Build 476 (v1.0.476), v1.1.12 y v2.2.15. Aquellos que no puedan actualizar pueden aplicar el parche a su instalación manualmente como mitigación

*Credits: N/A

Attack Vector

Network

Attack Complexity

High

Privileges Required

None

User Interaction

None

Scope

Unchanged

Confidentiality

High

Integrity

High

Availability

High

Attack Vector

Network

Attack Complexity

Medium

Authentication

None

Confidentiality

Partial

Integrity

Partial

Availability

Partial

* Common Vulnerability Scoring System

SSVC

Decision:-

Exploitation

Automatable

Tech. Impact

* Organization's Worst-case Scenario

Timeline

2022-02-10 CVE Reserved
2022-07-12 CVE Published
2024-06-26 EPSS Updated
2024-08-03 CVE Updated
---------- Exploited in Wild
---------- KEV Due Date
---------- First Exploit

CWE

CWE-362: Concurrent Execution using Shared Resource with Improper Synchronization ('Race Condition')

CAPEC

References (2)

URL	Tag	Source

URL	Date	SRC

URL	Date	SRC
https://github.com/octobercms/library/commit/fe569f3babf3f593be2b1e0a4ae0283506127a83	2022-07-20
https://github.com/octobercms/october/security/advisories/GHSA-8v7h-cpc2-r8jp	2022-07-20

URL	Date	SRC

Affected Vendors, Products, and Versions

Vendor		Product				Version		Other		Status
Vendor	Product	Version	Other	Status	<-- -->	Vendor	Product	Version	Other	Status
Octobercms Search vendor "Octobercms"		October Search vendor "Octobercms" for product "October"				< 1.0.476 Search vendor "Octobercms" for product "October" and version " < 1.0.476"		-		Affected
Octobercms Search vendor "Octobercms"		October Search vendor "Octobercms" for product "October"				>= 1.1.0 < 1.1.12 Search vendor "Octobercms" for product "October" and version " >= 1.1.0 < 1.1.12"		-		Affected
Octobercms Search vendor "Octobercms"		October Search vendor "Octobercms" for product "October"				>= 2.0.0 < 2.2.15 Search vendor "Octobercms" for product "October" and version " >= 2.0.0 < 2.2.15"		-		Affected