CVE-2020-29555

Source
https://cve.org/CVERecord?id=CVE-2020-29555
Import Source
https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2020-29555.json
JSON Data
https://api.osv.dev/v1/vulns/CVE-2020-29555
Aliases
Published
2021-03-15T18:15:17.253Z
Modified
2026-07-08T05:58:45.644188377Z
Severity
  • 8.1 (High) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:H CVSS Calculator
Summary
[none]
Details

The BackupDelete functionality in Grav CMS through 1.7.0-rc.17 allows an authenticated attacker to delete arbitrary files on the underlying server by exploiting a path-traversal technique. (This vulnerability can also be exploited by an unauthenticated attacker due to a lack of CSRF protection.)

Database specific
{
    "unresolved_ranges": [
        {
            "vendor_product": "getgrav:grav_cms",
            "cpes": [
                "cpe:2.3:a:getgrav:grav_cms:1.7.0:beta10:*:*:*:*:*:*",
                "cpe:2.3:a:getgrav:grav_cms:1.7.0:beta1:*:*:*:*:*:*",
                "cpe:2.3:a:getgrav:grav_cms:1.7.0:beta2:*:*:*:*:*:*",
                "cpe:2.3:a:getgrav:grav_cms:1.7.0:beta3:*:*:*:*:*:*",
                "cpe:2.3:a:getgrav:grav_cms:1.7.0:beta4:*:*:*:*:*:*",
                "cpe:2.3:a:getgrav:grav_cms:1.7.0:beta5:*:*:*:*:*:*",
                "cpe:2.3:a:getgrav:grav_cms:1.7.0:beta6:*:*:*:*:*:*",
                "cpe:2.3:a:getgrav:grav_cms:1.7.0:beta7:*:*:*:*:*:*",
                "cpe:2.3:a:getgrav:grav_cms:1.7.0:beta8:*:*:*:*:*:*",
                "cpe:2.3:a:getgrav:grav_cms:1.7.0:beta9:*:*:*:*:*:*",
                "cpe:2.3:a:getgrav:grav_cms:1.7.0:rc10:*:*:*:*:*:*",
                "cpe:2.3:a:getgrav:grav_cms:1.7.0:rc11:*:*:*:*:*:*",
                "cpe:2.3:a:getgrav:grav_cms:1.7.0:rc12:*:*:*:*:*:*",
                "cpe:2.3:a:getgrav:grav_cms:1.7.0:rc13:*:*:*:*:*:*",
                "cpe:2.3:a:getgrav:grav_cms:1.7.0:rc14:*:*:*:*:*:*",
                "cpe:2.3:a:getgrav:grav_cms:1.7.0:rc15:*:*:*:*:*:*",
                "cpe:2.3:a:getgrav:grav_cms:1.7.0:rc16:*:*:*:*:*:*",
                "cpe:2.3:a:getgrav:grav_cms:1.7.0:rc17:*:*:*:*:*:*",
                "cpe:2.3:a:getgrav:grav_cms:1.7.0:rc1:*:*:*:*:*:*",
                "cpe:2.3:a:getgrav:grav_cms:1.7.0:rc20:*:*:*:*:*:*",
                "cpe:2.3:a:getgrav:grav_cms:1.7.0:rc2:*:*:*:*:*:*",
                "cpe:2.3:a:getgrav:grav_cms:1.7.0:rc3:*:*:*:*:*:*",
                "cpe:2.3:a:getgrav:grav_cms:1.7.0:rc4:*:*:*:*:*:*",
                "cpe:2.3:a:getgrav:grav_cms:1.7.0:rc5:*:*:*:*:*:*",
                "cpe:2.3:a:getgrav:grav_cms:1.7.0:rc6:*:*:*:*:*:*",
                "cpe:2.3:a:getgrav:grav_cms:1.7.0:rc7:*:*:*:*:*:*",
                "cpe:2.3:a:getgrav:grav_cms:1.7.0:rc8:*:*:*:*:*:*",
                "cpe:2.3:a:getgrav:grav_cms:1.7.0:rc9:*:*:*:*:*:*"
            ],
            "source": "CPE_STRING",
            "extracted_events": [
                {
                    "introduced": "1.7.0-beta1"
                },
                {
                    "last_affected": "1.7.0-beta1"
                },
                {
                    "introduced": "1.7.0-beta10"
                },
                {
                    "last_affected": "1.7.0-beta10"
                },
                {
                    "introduced": "1.7.0-beta2"
                },
                {
                    "last_affected": "1.7.0-beta2"
                },
                {
                    "introduced": "1.7.0-beta3"
                },
                {
                    "last_affected": "1.7.0-beta3"
                },
                {
                    "introduced": "1.7.0-beta4"
                },
                {
                    "last_affected": "1.7.0-beta4"
                },
                {
                    "introduced": "1.7.0-beta5"
                },
                {
                    "last_affected": "1.7.0-beta5"
                },
                {
                    "introduced": "1.7.0-beta6"
                },
                {
                    "last_affected": "1.7.0-beta6"
                },
                {
                    "introduced": "1.7.0-beta7"
                },
                {
                    "last_affected": "1.7.0-beta7"
                },
                {
                    "introduced": "1.7.0-beta8"
                },
                {
                    "last_affected": "1.7.0-beta8"
                },
                {
                    "introduced": "1.7.0-beta9"
                },
                {
                    "last_affected": "1.7.0-beta9"
                },
                {
                    "introduced": "1.7.0-rc1"
                },
                {
                    "last_affected": "1.7.0-rc1"
                },
                {
                    "introduced": "1.7.0-rc10"
                },
                {
                    "last_affected": "1.7.0-rc10"
                },
                {
                    "introduced": "1.7.0-rc11"
                },
                {
                    "last_affected": "1.7.0-rc11"
                },
                {
                    "introduced": "1.7.0-rc12"
                },
                {
                    "last_affected": "1.7.0-rc12"
                },
                {
                    "introduced": "1.7.0-rc13"
                },
                {
                    "last_affected": "1.7.0-rc13"
                },
                {
                    "introduced": "1.7.0-rc14"
                },
                {
                    "last_affected": "1.7.0-rc14"
                },
                {
                    "introduced": "1.7.0-rc15"
                },
                {
                    "last_affected": "1.7.0-rc15"
                },
                {
                    "introduced": "1.7.0-rc16"
                },
                {
                    "last_affected": "1.7.0-rc16"
                },
                {
                    "introduced": "1.7.0-rc17"
                },
                {
                    "last_affected": "1.7.0-rc17"
                },
                {
                    "introduced": "1.7.0-rc2"
                },
                {
                    "last_affected": "1.7.0-rc2"
                },
                {
                    "introduced": "1.7.0-rc20"
                },
                {
                    "last_affected": "1.7.0-rc20"
                },
                {
                    "introduced": "1.7.0-rc3"
                },
                {
                    "last_affected": "1.7.0-rc3"
                },
                {
                    "introduced": "1.7.0-rc4"
                },
                {
                    "last_affected": "1.7.0-rc4"
                },
                {
                    "introduced": "1.7.0-rc5"
                },
                {
                    "last_affected": "1.7.0-rc5"
                },
                {
                    "introduced": "1.7.0-rc6"
                },
                {
                    "last_affected": "1.7.0-rc6"
                },
                {
                    "introduced": "1.7.0-rc7"
                },
                {
                    "last_affected": "1.7.0-rc7"
                },
                {
                    "introduced": "1.7.0-rc8"
                },
                {
                    "last_affected": "1.7.0-rc8"
                },
                {
                    "introduced": "1.7.0-rc9"
                },
                {
                    "last_affected": "1.7.0-rc9"
                }
            ]
        }
    ]
}
References

Affected packages

Git / github.com/getgrav/grav

Affected ranges

Type
GIT
Repo
https://github.com/getgrav/grav
Events
Introduced
0 Unknown introduced commit / All previous commits are affected
Fixed
Database specific
{
    "cpe": "cpe:2.3:a:getgrav:grav_cms:*:*:*:*:*:*:*:*",
    "source": "CPE_RANGE",
    "extracted_events": [
        {
            "introduced": "0"
        },
        {
            "fixed": "1.7.0"
        }
    ]
}

Affected versions

0.*
0.8.0
0.9.0
0.9.10
0.9.11
0.9.12
0.9.13
0.9.14
0.9.15
0.9.16
0.9.17
0.9.18
0.9.19
0.9.2
0.9.3
0.9.4
0.9.5
0.9.6
0.9.7
0.9.8
0.9.9
1.*
1.1.0-beta.1
1.1.0-beta.2
1.1.0-beta.3
1.1.0-beta.4
1.1.0-beta.5
1.1.0-rc.1
1.1.0-rc.2
1.1.0-rc.3
1.1.9-rc.1
1.1.9-rc.2
1.1.9-rc.3
1.2.0-rc.1
1.2.0-rc.2
1.2.0-rc.3
1.3.0-rc.1
1.3.0-rc.3
1.3.0-rc.4
1.3.0-rc.5
1.5.0-beta.1
1.5.0-beta.2
1.5.0-rc.1
1.6.0-beta.1
1.6.0-beta.2
1.6.0-beta.5
1.6.0-beta.6
1.6.0-beta.7
1.6.0-beta.8
1.6.0-rc.1
1.6.0-rc.2
1.6.0-rc.3
1.6.0-rc.4
1.7.0-beta.1
1.7.0-beta.10
1.7.0-beta.2
1.7.0-beta.3
1.7.0-beta.4
1.7.0-beta.5
1.7.0-beta.6
1.7.0-beta.7
1.7.0-beta.8
1.7.0-beta.9
1.7.0-rc.1
1.7.0-rc.10
1.7.0-rc.12
1.7.0-rc.13
1.7.0-rc.14
1.7.0-rc.15
1.7.0-rc.17
1.7.0-rc.18
1.7.0-rc.19
1.7.0-rc.2
1.7.0-rc.20
1.7.0-rc.3
1.7.0-rc.4
1.7.0-rc.5
1.7.0-rc.6
1.7.0-rc.7
1.7.0-rc.8
1.7.0-rc.9

Database specific

source
"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2020-29555.json"