CVE-2022-3342

{"id": "CVE-2022-3342", "metrics": {"cvssMetricV31": [{"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 8.8, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "integrityImpact": "HIGH", "userInteraction": "REQUIRED", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "NONE", "confidentialityImpact": "HIGH"}, "impactScore": 5.9, "exploitabilityScore": 2.8}, {"type": "Secondary", "source": "security@wordfence.com", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 7.5, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H", "integrityImpact": "HIGH", "userInteraction": "REQUIRED", "attackComplexity": "HIGH", "availabilityImpact": "HIGH", "privilegesRequired": "NONE", "confidentialityImpact": "HIGH"}, "impactScore": 5.9, "exploitabilityScore": 1.6}]}, "published": "2023-10-20T08:15:11.787", "references": [{"url": "https://plugins.trac.wordpress.org/browser/zero-bs-crm/trunk/includes/ZeroBSCRM.CSVImporter.php?rev=2790863", "tags": ["Patch"], "source": "security@wordfence.com"}, {"url": "https://plugins.trac.wordpress.org/changeset/2805282/zero-bs-crm/trunk/includes/ZeroBSCRM.CSVImporter.php", "tags": ["Patch"], "source": "security@wordfence.com"}, {"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/98ab264f-b210-41d0-bb6f-b4f31d933f80?source=cve", "tags": ["Third Party Advisory"], "source": "security@wordfence.com"}], "vulnStatus": "Modified", "weaknesses": [{"type": "Primary", "source": "nvd@nist.gov", "description": [{"lang": "en", "value": "CWE-502"}]}], "descriptions": [{"lang": "en", "value": "The Jetpack CRM plugin for WordPress is vulnerable to PHAR deserialization via the \u2018zbscrmcsvimpf\u2019 parameter in the 'zeroBSCRM_CSVImporterLitehtml_app' function in versions up to, and including, 5.3.1. While the function performs a nonce check, steps 2 and 3 of the check do not take any action upon a failed check. These steps then perform a 'file_exists' check on the value of 'zbscrmcsvimpf'. If a phar:// archive is supplied, its contents will be deserialized and an object injected in the execution stream. This allows an unauthenticated attacker to obtain object injection if they are able to upload a phar archive (for instance if the site supports image uploads) and then trick an administrator into performing an action, such as clicking a link."}, {"lang": "es", "value": "El complemento Jetpack CRM para WordPress es vulnerable a la deserializaci\u00f3n PHAR a trav\u00e9s del par\u00e1metro 'zbscrmcsvimpf' en la funci\u00f3n 'zeroBSCRM_CSVImporterLitehtml_app' en versiones hasta la 5.3.1 incluida. Si bien la funci\u00f3n realiza una verificaci\u00f3n nonce, los pasos 2 y 3 de la verificaci\u00f3n no realizan ninguna acci\u00f3n ante una verificaci\u00f3n fallida. Luego, estos pasos realizan una verificaci\u00f3n de 'file_exists' en el valor de 'zbscrmcsvimpf'. Si se proporciona un archivo phar://, su contenido se deserializar\u00e1 y se inyectar\u00e1 un objeto en el flujo de ejecuci\u00f3n. Esto permite a un atacante no autenticado obtener una inyecci\u00f3n de objetos si puede cargar un archivo phar (por ejemplo, si el sitio admite la carga de im\u00e1genes) y luego enga\u00f1ar a un administrador para que realice una acci\u00f3n, como hacer click en un enlace."}], "lastModified": "2023-11-07T03:51:08.663", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:a:automattic:jetpack_crm:*:*:*:*:*:wordpress:*:*", "vulnerable": true, "matchCriteriaId": "23B2D955-C8DB-410C-854D-E1276B683ABA", "versionEndIncluding": "5.3.1"}], "operator": "OR"}]}], "sourceIdentifier": "security@wordfence.com"}