GHSA-6324-52pr-h4p5

Source

https://github.com/advisories/GHSA-6324-52pr-h4p5

Import Source

https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2023/12/GHSA-6324-52pr-h4p5/GHSA-6324-52pr-h4p5.json

JSON Data

https://api.osv.dev/v1/vulns/GHSA-6324-52pr-h4p5

Aliases

CVE-2023-49089

Published

2023-12-13T13:24:53Z

Modified

2024-02-16T08:17:27.590275Z

Severity

0.0 (None) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:N/I:N/A:N CVSS Calculator

Summary

Using the directory back payload (“/../”) in a package name allows placement of package in other folders.

Details

Impact

Backoffice users with permissions to create packages can use path traversal and thereby write outside of the expected location.

Explanation of the vulnerability

The “Package” section in Umbraco Backoffice allows a logged in user to write folders outside of the default package directory.

Database specific

{
    "severity": "LOW",
    "github_reviewed": true,
    "cwe_ids": [
        "CWE-22"
    ],
    "nvd_published_at": "2023-12-12T19:15:07Z",
    "github_reviewed_at": "2023-12-13T13:24:53Z"
}

References

Affected packages

NuGet / Umbraco.CMS

Package

Name: Umbraco.CMS; View open source insights on deps.dev
Purl: pkg:nuget/Umbraco.CMS

Affected ranges

Type: ECOSYSTEM
Events: Introduced

8.0.0

Fixed

8.18.10

NuGet / Umbraco.CMS

Package

Name: Umbraco.CMS; View open source insights on deps.dev
Purl: pkg:nuget/Umbraco.CMS

Affected ranges

Type: ECOSYSTEM
Events: Introduced

9.0.0

Fixed

10.8.1

Affected versions

9.*

9.0.0

9.0.1

9.1.0-rc

9.1.0

9.1.1

9.1.2

9.2.0-rc

9.2.0

9.3.0-rc

9.3.0

9.3.1

9.4.0-rc

9.4.0

9.4.1

9.4.2

9.4.3

9.5.0-rc

9.5.0-rc2

9.5.0-rc3

9.5.0

9.5.1

9.5.2

9.5.3

9.5.4

10.*

10.0.0-rc1

10.0.0-rc2

10.0.0-rc3

10.0.0-rc4

10.0.0-rc5

10.0.0

10.0.1

10.1.0-rc

10.1.0-rc2

10.1.0

10.1.1

10.2.0-rc

10.2.0

10.2.1

10.3.0-rc

10.3.0

10.3.1

10.3.2

10.4.0-rc

10.4.0

10.4.1

10.4.2

10.5.0-rc

10.5.0

10.5.1

10.6.0-rc

10.6.0

10.6.1

10.7.0-rc

10.7.0

10.8.0-rc

10.8.0

NuGet / Umbraco.CMS

Package

Name: Umbraco.CMS; View open source insights on deps.dev
Purl: pkg:nuget/Umbraco.CMS

Affected ranges

Type: ECOSYSTEM
Events: Introduced

11.0.0

Fixed

12.3.4

Affected versions

11.*

11.0.0

11.1.0-rc

11.1.0

11.2.0-rc

11.2.0

11.2.1

11.2.2

11.3.0-rc

11.3.0

11.3.1

11.4.0-rc

11.4.0

11.4.1

11.4.2

11.5.0-rc

11.5.0

12.*

12.0.0-rc1

12.0.0-rc2

12.0.0-rc3

12.0.0-rc4

12.0.0-rc5

12.0.0

12.0.1

12.1.0-rc

12.1.0

12.1.1

12.1.2

12.2.0-rc

12.2.0

12.3.0-rc

12.3.0

12.3.1

12.3.2

12.3.3