CVE-2021-43836

Sulu is an open-source PHP content management system based on the Symfony framework. In affected versions an attacker can read arbitrary local files via a PHP file include. In a default configuration this also leads to remote code execution. The problem is patched with the Versions 1.6.44, 2.2.18, 2.3.8, 2.4.0. For users unable to upgrade overwrite the service `sulu_route.generator.expression_token_provider` and wrap the translator before passing it to the expression language.

CVSS v3 8.8 HIGH
CVSS v2.0 6.5 MEDIUM

8.8^/10

CVSS v3 : HIGH

Vector :

Exploitability : 2.8 / Impact : 5.9

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required LOW

User Interaction NONE

Confidentiality Impact HIGH

Integrity Impact HIGH

Availability Impact HIGH

Scope UNCHANGED

6.5^/10

CVSS v2.0 : MEDIUM

Vector : AV:N/AC:L/Au:S/C:P/I:P/A:P

Exploitability : 8.0 / Impact : 6.4

Access Vector NETWORK

Access Complexity LOW

Authentication SINGLE

Confidentiality Impact PARTIAL

Integrity Impact PARTIAL

Availability Impact PARTIAL

References

Link	Resource
https://github.com/sulu/sulu/commit/9c948f9ce350c68b53af8c3910e2cefc7f722b54	Patch Third Party Advisory
https://github.com/sulu/sulu/security/advisories/GHSA-vx6j-pjrh-vgjh	Third Party Advisory

Configurations

Configuration 1 (hide)

OR	cpe:2.3:a:sulu:sulu::::::::
	cpe:2.3:a:sulu:sulu::::::::
	cpe:2.3:a:sulu:sulu::::::::
	cpe:2.3:a:sulu:sulu:2.4.0:rc1::::::

History

No history.

Information

Published : 2021-12-15 20:15

Updated : 2024-02-28 18:48

NVD link : CVE-2021-43836

Mitre link : CVE-2021-43836

CVE.ORG link : CVE-2021-43836

JSON object : View

Products Affected

sulu

sulu

CWE

CWE-22

Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')

{"id": "CVE-2021-43836", "metrics": {"cvssMetricV2": [{"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"version": "2.0", "baseScore": 6.5, "accessVector": "NETWORK", "vectorString": "AV:N/AC:L/Au:S/C:P/I:P/A:P", "authentication": "SINGLE", "integrityImpact": "PARTIAL", "accessComplexity": "LOW", "availabilityImpact": "PARTIAL", "confidentialityImpact": "PARTIAL"}, "acInsufInfo": false, "impactScore": 6.4, "baseSeverity": "MEDIUM", "obtainAllPrivilege": false, "exploitabilityScore": 8.0, "obtainUserPrivilege": false, "obtainOtherPrivilege": false, "userInteractionRequired": false}], "cvssMetricV31": [{"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 8.8, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "LOW", "confidentialityImpact": "HIGH"}, "impactScore": 5.9, "exploitabilityScore": 2.8}, {"type": "Secondary", "source": "security-advisories@github.com", "cvssData": {"scope": "CHANGED", "version": "3.1", "baseScore": 8.5, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:H", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "HIGH", "availabilityImpact": "HIGH", "privilegesRequired": "LOW", "confidentialityImpact": "HIGH"}, "impactScore": 6.0, "exploitabilityScore": 1.8}]}, "published": "2021-12-15T20:15:08.733", "references": [{"url": "https://github.com/sulu/sulu/commit/9c948f9ce350c68b53af8c3910e2cefc7f722b54", "tags": ["Patch", "Third Party Advisory"], "source": "security-advisories@github.com"}, {"url": "https://github.com/sulu/sulu/security/advisories/GHSA-vx6j-pjrh-vgjh", "tags": ["Third Party Advisory"], "source": "security-advisories@github.com"}], "vulnStatus": "Analyzed", "weaknesses": [{"type": "Primary", "source": "security-advisories@github.com", "description": [{"lang": "en", "value": "CWE-22"}]}], "descriptions": [{"lang": "en", "value": "Sulu is an open-source PHP content management system based on the Symfony framework. In affected versions an attacker can read arbitrary local files via a PHP file include. In a default configuration this also leads to remote code execution. The problem is patched with the Versions 1.6.44, 2.2.18, 2.3.8, 2.4.0. For users unable to upgrade overwrite the service `sulu_route.generator.expression_token_provider` and wrap the translator before passing it to the expression language."}, {"lang": "es", "value": "Sulu es un sistema de administraci\u00f3n de contenidos PHP de c\u00f3digo abierto basado en el framework Symfony. En las versiones afectadas, un atacante puede leer archivos locales arbitrarios por medio de una inclusi\u00f3n de archivos PHP. En una configuraci\u00f3n por defecto esto tambi\u00e9n conlleva a una ejecuci\u00f3n de c\u00f3digo remota. El problema est\u00e1 parcheado con las versiones 1.6.44, 2.2.18, 2.3.8, 2.4.0. Para usuarios que no puedan actualizar sobrescribir el servicio \"sulu_route.generator.expression_token_provider\" y envolver el traductor antes de pasarlo al lenguaje de expresi\u00f3n"}], "lastModified": "2021-12-21T02:09:55.593", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:a:sulu:sulu:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "838D4309-D6D9-4884-B6C7-F4529DD7AD68", "versionEndExcluding": "1.6.44"}, {"criteria": "cpe:2.3:a:sulu:sulu:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "7B6E9B64-0B43-40AD-B0B4-C8BA5EEA6F31", "versionEndExcluding": "2.2.18", "versionStartIncluding": "2.0.0"}, {"criteria": "cpe:2.3:a:sulu:sulu:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "354C0B42-D950-497B-B3B7-09EA07063564", "versionEndExcluding": "2.3.8", "versionStartIncluding": "2.3.0"}, {"criteria": "cpe:2.3:a:sulu:sulu:2.4.0:rc1:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "2889EBAA-7A15-436C-9658-CA67F7122DC1"}], "operator": "OR"}]}], "sourceIdentifier": "security-advisories@github.com"}