GHSA-g273-wppx-82w4

Source

https://github.com/advisories/GHSA-g273-wppx-82w4

Import Source

https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2024/01/GHSA-g273-wppx-82w4/GHSA-g273-wppx-82w4.json

JSON Data

https://api.osv.dev/v1/vulns/GHSA-g273-wppx-82w4

Aliases

CVE-2024-21667

Published

2024-01-10T15:24:08Z

Modified

2024-02-16T08:04:59.163344Z

Severity

6.5 (Medium) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N CVSS Calculator

Summary

Pimcore Customer Data Framework Improper Access Control allows unprivileged user to access GDPR extracts

Details

Summary

An authenticated and unauthorized user can access the GDPR data extraction feature and query over the information returned, leading to customer data exposure.

Details

Permissions do not seem to be enforced when reaching the /admin/customermanagementframework/gdpr-data/search-data-objects endpoint allowing an authenticated user without the permissions to access the endpoint and query the data available there. It seems that the access control is not enforced in this place : https://github.com/pimcore/customer-data-framework/blob/b4af625ef327c58d05ef7cdf145fa749d2d4195e/src/Controller/Admin/GDPRDataController.php#L38

PoC

In order to reproduce the issue, the following steps can be followed:

As an administrator : a. Create a role without any permission through Settings → User & Roles → Roles in the administration panel b. Create an user through Settings → User & Roles → Users and assign it the unprivileged role previously created
Log out the current administrator and log in with this new user
Access to the following endpoint https://pimcore_instance/admin/customermanagementframework/gdpr-data/search-data-objects?id=&firstname=&lastname=&email=&page=1&start=0&limit=50 and the results will be returned to this unauthorized user.

Impact

An unauthorized user can access PII data from customers without being authorized to.

Database specific

{
    "nvd_published_at": "2024-01-11T01:15:45Z",
    "cwe_ids": [
        "CWE-284"
    ],
    "severity": "MODERATE",
    "github_reviewed": true,
    "github_reviewed_at": "2024-01-10T15:24:08Z"
}

References

Affected packages

Packagist / pimcore/customer-management-framework-bundle

Package

Name: pimcore/customer-management-framework-bundle
Purl: pkg:composer/pimcore/customer-management-framework-bundle

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0Unknown introduced version / All previous versions are affected

Fixed

4.0.6

Affected versions

1.*

1.0.0

1.0.1

1.3.17

v1.*

v1.1.0

v1.1.1

v1.2.0

v1.2.1

v1.2.2

v1.2.3

v1.2.4

v1.2.5

v1.2.6

v1.3.0

v1.3.1

v1.3.2

v1.3.3

v1.3.4

v1.3.5

v1.3.6

v1.3.7

v1.3.8

v1.3.9

v1.3.10

v1.3.11

v1.3.12

v1.3.13

v1.3.14

v1.3.15

v1.3.16

v1.3.18

v1.3.19

v1.3.20

v1.3.21

v1.4.0

v1.4.1

v1.4.2

v1.4.3

v1.4.4

v1.4.5

v1.4.6

v1.4.7

v1.4.8

v1.4.9

v1.4.10

v1.4.11

v1.4.12

v1.5.0

v1.5.1

v1.5.2

v1.5.3

v1.5.4

v1.5.5

v1.6

v1.6.1

v1.6.2

v1.6.3

v1.6.4

v1.6.5

v1.6.6

v1.6.7

v1.7.0

v1.7.1

v1.7.2

v1.7.3

v1.7.4

v1.8.0

v1.9.0

v1.9.1

v1.10.0

v1.10.1

v1.11.0

v1.12.0

v1.12.1

v1.13.0

v1.13.1

v1.14.0

v1.14.1

v1.14.2

v1.14.3

v1.14.4

v2.*

v2.0.0

v2.0.1

v2.1.0

v2.2.0

v2.2.1

v2.3.0

v2.3.1

v2.3.2

v2.3.3

v2.4.0

v2.4.1

v2.4.2

v2.4.3

v2.4.4

v2.4.6

v2.4.7

v2.5.0

v2.5.2

v2.5.3

v2.5.4

v2.5.5

v2.5.6

v2.5.7

v2.6.0

v2.6.1

v2.6.2

2.*

2.4.5

2.5.1

v3.*

v3.0.0

v3.0.1

v3.0.2

v3.0.3

v3.1.0

v3.1.1

v3.2.0

v3.2.1

v3.2.2

v3.2.3

v3.2.4

v3.2.5

v3.2.6

v3.2.7

v3.2.8

v3.2.9

v3.2.10

v3.2.11

v3.2.12

v3.2.13

v3.2.14

v3.3.0

v3.3.1

v3.3.2

v3.3.3

v3.3.4

v3.3.5

v3.3.6

v3.3.7

v3.3.8

v3.3.9

v3.3.10

v3.4.0

v3.4.1

v3.4.2

v3.4.3

v3.4.4

v3.4.5

v4.*

v4.0.0-BETA1

v4.0.0-BETA2

v4.0.0-RC1

v4.0.0-RC2

v4.0.0

v4.0.1

v4.0.2

v4.0.3

v4.0.4

v4.0.5