GHSA-f8v5-jmfh-pr69
Suggest an improvement- Source
- https://github.com/advisories/GHSA-f8v5-jmfh-pr69
- Import Source
- https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2024/05/GHSA-f8v5-jmfh-pr69/GHSA-f8v5-jmfh-pr69.json
- JSON Data
- https://api.osv.dev/v1/vulns/GHSA-f8v5-jmfh-pr69
- Aliases
- Published
- 2024-05-15T17:15:51Z
- Modified
- 2024-05-19T02:24:45.980252Z
- Severity
-
- 8.5 (High) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:L CVSS Calculator
- Summary
- Grav Vulnerable to Arbitrary File Read to Account Takeover
- Details
-
Summary
A low privilege user account with page edit privilege can read any server files using Twig Syntax. This includes Grav user account files - /grav/user/accounts/*.yaml. This file stores hashed user password, 2FA secret, and the password reset token. This can allow an adversary to compromise any registered account by resetting a password for a user to get access to the password reset token from the file or by cracking the hashed password.
Proof Of Concept
{{ read_file('/var/www/html/grav/user/accounts/riri.yaml') }}Use the above Twig template syntax in a page and observe that the administrator riri's authentication details are exposed accessible by any unauthenticated user.
As an additional proof of concept for reading system files, observe the
/etc/passwdfile read using the following Twig syntax:{{ read_file('/etc/passwd') }}Impact
This can allow a low privileged user to perform a full account takeover of other registered users including Adminsitrators. This can also allow an adversary to read any file in the web server.
- References
Affected packages
Packagist / getgrav/grav
Package
- Name
- getgrav/grav
- Purl
- pkg:composer/getgrav/grav
Affected ranges
- Type
- ECOSYSTEM
- Events
-
Introduced0Unknown introduced version / All previous versions are affectedFixed1.7.46