CVE-2023-47636

Full Path Disclosure via re-export document in pimcore/admin-ui-classic-bundle

Severity Score

5.3

*CVSS v3.1

Exploit Likelihood

*EPSS

Affected Versions

*CPE

Public Exploits

*Multiple Sources

Exploited in Wild

*KEV

Decision

Attend

*SSVC

Descriptions

The Pimcore Admin Classic Bundle provides a Backend UI for Pimcore. Full Path Disclosure (FPD) vulnerabilities enable the attacker to see the path to the webroot/file. e.g.: /home/omg/htdocs/file/. Certain vulnerabilities, such as using the load_file() (within a SQL Injection) query to view the page source, require the attacker to have the full path to the file they wish to view. In the case of pimcore, the fopen() function here doesn't have an error handle when the file doesn't exist on the server so the server response raises the full path "fopen(/var/www/html/var/tmp/export-{ uniqe id}.csv)". This issue has been patched in commit `10d178ef771` which has been included in release version 1.2.1. Users are advised to upgrade. There are no known workarounds for this vulnerability.

El paquete Pimcore Admin Classic proporciona una interfaz de usuario de backend para Pimcore. Las vulnerabilidades de Full Path Disclosure (FPD) permiten al atacante ver la ruta al archivo/raíz web. Por ejemplo: /home/omg/htdocs/file/. Ciertas vulnerabilidades, como el uso de la consulta load_file() (dentro de una inyección SQL) para ver el origen de la página, requieren que el atacante tenga la ruta completa al archivo que desea ver. En el caso de pimcore, la función fopen() aquí no tiene un controlador de error cuando el archivo no existe en el servidor, por lo que la respuesta del servidor genera la ruta completa "fopen(/var/www/html/var/tmp/export-{uniqe id}.csv)". Este problema se solucionó en el commit `10d178ef771` que se incluyó en la versión 1.2.1. Se recomienda a los usuarios que actualicen. No se conocen workarounds para esta vulnerabilidad.

*Credits: N/A

CVSS Scores

NISTv3.1 5.3

Attack Vector

Network

Attack Complexity

Low

Privileges Required

None

User Interaction

None

Scope

Unchanged

Confidentiality

Low

Integrity

None

Availability

None

* Common Vulnerability Scoring System

SSVC

Decision:Attend

Exploitation

Poc

Automatable

Yes

Tech. Impact

Partial

* Organization's Worst-case Scenario

Timeline

2023-11-07 CVE Reserved
2023-11-15 CVE Published
2024-08-29 CVE Updated
2024-08-29 First Exploit
2024-10-15 EPSS Updated
---------- Exploited in Wild
---------- KEV Due Date

CWE

CWE-209: Generation of Error Message Containing Sensitive Information

CAPEC

References (3)

URL	Tag	Source

URL	Date	SRC
https://huntr.com/bounties/4af4db18-9fd4-43e9-8bc6-c88aaf76839c	2024-08-29

URL	Date	SRC
https://github.com/pimcore/admin-ui-classic-bundle/commit/10d178ef771097604a256c1192b098af9ec57a87	2023-11-22

URL	Date	SRC
https://github.com/pimcore/admin-ui-classic-bundle/security/advisories/GHSA-c8hj-w239-5gvf	2023-11-22

Affected Vendors, Products, and Versions

Vendor		Product				Version		Other		Status
Vendor	Product	Version	Other	Status	<-- -->	Vendor	Product	Version	Other	Status
Pimcore Search vendor "Pimcore"		Admin Classic Bundle Search vendor "Pimcore" for product "Admin Classic Bundle"				< 1.2.1 Search vendor "Pimcore" for product "Admin Classic Bundle" and version " < 1.2.1"		pimcore		Affected