GHSA-p7f6-8mcm-fwv3
Suggest an improvement- Source
- https://github.com/advisories/GHSA-p7f6-8mcm-fwv3
- Import Source
- https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2024/11/GHSA-p7f6-8mcm-fwv3/GHSA-p7f6-8mcm-fwv3.json
- JSON Data
- https://api.osv.dev/v1/vulns/GHSA-p7f6-8mcm-fwv3
- Aliases
- Published
- 2024-11-19T18:03:07Z
- Modified
- 2024-11-19T21:02:13.930750Z
- Severity
-
- 5.3 (Medium) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N CVSS Calculator
- Summary
- Statamic CMS has a Path Traversal in Asset Upload
- Details
-
Assets uploaded with appropriately crafted filenames may result in them being placed in a location different than what was configured.
Impact
- Affects front-end forms with
assetsfields. - Affects other places where assets can be uploaded, although users would need upload permissions anyway.
- Files can be uploaded so they would be located on the server in a different location, and potentially override existing files.
- Traversal outside an asset container was not possible.
Patches
This has been fixed in 5.17.0.
- Affects front-end forms with
- References
-
- https://github.com/statamic/cms/security/advisories/GHSA-p7f6-8mcm-fwv3
- https://nvd.nist.gov/vuln/detail/CVE-2024-52600
- https://github.com/statamic/cms/commit/0c07c10009a2439c8ee56c8faefd1319dc6e388d
- https://github.com/statamic/cms/commit/400875b20f40e1343699d536a432a6fc284346da
- https://github.com/statamic/cms/commit/4cc2c9bd0f39a93b3fc7e9ef0f12792576fd380d
- https://github.com/statamic/cms
Affected packages
Packagist / statamic/cms
Package
- Name
- statamic/cms
- Purl
- pkg:composer/statamic/cms
Affected ranges
- Type
- ECOSYSTEM
- Events
-
Introduced0Unknown introduced version / All previous versions are affectedFixed5.17.0
Affected versions
v3.*
v3.0.0-beta.1
v3.0.0-beta.2
v3.0.0-beta.3
v3.0.0-beta.4
v3.0.0-beta.5
v3.0.0-beta.6
v3.0.0-beta.7
v3.0.0-beta.8
v3.0.0-beta.9
v3.0.0-beta.10
v3.0.0-beta.11
v3.0.0-beta.12
v3.0.0-beta.13
v3.0.0-beta.14
v3.0.0-beta.15
v3.0.0-beta.16
v3.0.0-beta.17
v3.0.0-beta.18
v3.0.0-beta.19
v3.0.0-beta.20
v3.0.0-beta.21
v3.0.0-beta.22
v3.0.0-beta.23
v3.0.0-beta.24
v3.0.0-beta.25
v3.0.0-beta.26
v3.0.0-beta.27
v3.0.0-beta.28
v3.0.0-beta.29
v3.0.0-beta.30
v3.0.0-beta.31
v3.0.0-beta.32
v3.0.0-beta.33
v3.0.0-beta.34
v3.0.0-beta.35
v3.0.0-beta.36
v3.0.0-beta.37
v3.0.0-beta.38
v3.0.0-beta.39
v3.0.0-beta.40
v3.0.0-beta.41
v3.0.0-beta.42
v3.0.0-beta.43
v3.0.0-beta.44
v3.0.0-beta.45
v3.0.0-beta.46
v3.0.0
v3.0.1
v3.0.2
v3.0.3
v3.0.4
v3.0.5
v3.0.6
v3.0.7
v3.0.8
v3.0.9
v3.0.10
v3.0.11
v3.0.12
v3.0.13
v3.0.14
v3.0.15
v3.0.16
v3.0.17
v3.0.18
v3.0.19
v3.0.20
v3.0.21
v3.0.22
v3.0.23
v3.0.24
v3.0.25
v3.0.26
v3.0.27
v3.0.28
v3.0.29
v3.0.30
v3.0.31
v3.0.32
v3.0.33
v3.0.34
v3.0.35
v3.0.35.1
v3.0.36
v3.0.36.1
v3.0.37
v3.0.38
v3.0.39
v3.0.40
v3.0.41
v3.0.42
v3.0.43
v3.0.44
v3.0.45
v3.0.46
v3.0.47
v3.0.48
v3.0.49
v3.1.0-alpha.1
v3.1.0-alpha.2
v3.1.0-alpha.3
v3.1.0-alpha.4
v3.1.0-beta.1
v3.1.0-beta.2
v3.1.0-beta.3
v3.1.0
v3.1.1
v3.1.2
v3.1.3
v3.1.4
v3.1.5
v3.1.6
v3.1.7
v3.1.8
v3.1.9
v3.1.10
v3.1.11
v3.1.12
v3.1.13
v3.1.14
v3.1.15
v3.1.16
v3.1.17
v3.1.18
v3.1.19
v3.1.20
v3.1.21
v3.1.22
v3.1.23
v3.1.24
v3.1.25
v3.1.26
v3.1.27
v3.1.28
v3.1.29
v3.1.30
v3.1.31
v3.1.32
v3.1.33
v3.1.34
v3.1.35
v3.2.0-beta.1
v3.2.0
v3.2.1
v3.2.2
v3.2.3
v3.2.4
v3.2.5
v3.2.6
v3.2.7
v3.2.8
v3.2.9
v3.2.10
v3.2.11
v3.2.12
v3.2.13
v3.2.14
v3.2.15
v3.2.16
v3.2.17
v3.2.18
v3.2.19
v3.2.20
v3.2.21
v3.2.22
v3.2.23
v3.2.24
v3.2.25
v3.2.26
v3.2.27
v3.2.28
v3.2.29
v3.2.30
v3.2.31
v3.2.32
v3.2.33
v3.2.34
v3.2.35
v3.2.36
v3.2.37
v3.2.38
v3.2.39
v3.3.0-beta.1
v3.3.0-beta.2
v3.3.0-beta.3
v3.3.0-beta.4
v3.3.0-beta.5
v3.3.0-beta.6
v3.3.0-beta.7
v3.3.0
v3.3.1
v3.3.2
v3.3.3
v3.3.4
v3.3.5
v3.3.6
v3.3.7
v3.3.8
v3.3.9
v3.3.10
v3.3.11
v3.3.12
v3.3.13
v3.3.14
v3.3.15
v3.3.16
v3.3.17
v3.3.18
v3.3.19
v3.3.20
v3.3.21
v3.3.22
v3.3.23
v3.3.24
v3.3.25
v3.3.26
v3.3.27
v3.3.28
v3.3.29
v3.3.30
v3.3.31
v3.3.32
v3.3.33
v3.3.34
v3.3.35
v3.3.36
v3.3.37
v3.3.38
v3.3.39
v3.3.40
v3.3.41
v3.3.42
v3.3.43
v3.3.44
v3.3.45
v3.3.46
v3.3.47
v3.3.48
v3.3.49
v3.3.50
v3.3.51
v3.3.52
v3.3.53
v3.3.54
v3.3.55
v3.3.56
v3.3.57
v3.3.58
v3.3.59
v3.3.60
v3.3.61
v3.3.62
v3.3.63
v3.3.64
v3.3.65
v3.3.66
v3.3.67
v3.3.68
v3.4.0
v3.4.1
v3.4.2
v3.4.3
v3.4.4
v3.4.5
v3.4.6
v3.4.7
v3.4.8
v3.4.9
v3.4.10
v3.4.11
v3.4.12
v3.4.13
v3.4.14
v3.4.15
v3.4.16
v3.4.17
v4.*
v4.0.0-alpha.1
v4.0.0-alpha.2
v4.0.0-alpha.3
v4.0.0-alpha.4
v4.0.0-alpha.5
v4.0.0-beta.1
v4.0.0-beta.2
v4.0.0-beta.3
v4.0.0-beta.4
v4.0.0
v4.1.0
v4.1.1
v4.1.2
v4.1.3
v4.2.0
v4.3.0
v4.4.0
v4.5.0
v4.6.0
v4.7.0
v4.8.0
v4.9.0
v4.9.1
v4.9.2
v4.10.0
v4.10.1
v4.10.2
v4.11.0
v4.12.0
v4.13.0
v4.13.1
v4.13.2
v4.14.0
v4.15.0
v4.16.0
v4.17.0
v4.18.0
v4.19.0
v4.20.0
v4.21.0
v4.22.0
v4.23.0
v4.23.1
v4.23.2
v4.24.0
v4.25.0
v4.26.0
v4.26.1
v4.27.0
v4.28.0
v4.29.0
v4.30.0
v4.31.0
v4.32.0
v4.33.0
v4.34.0
v4.35.0
v4.36.0
v4.37.0
v4.38.0
v4.39.0
v4.40.0
v4.41.0
v4.42.0
v4.42.1
v4.43.0
v4.44.0
v4.45.0
v4.46.0
v4.47.0
v4.48.0
v4.49.0
v4.50.0
v4.51.0
v4.52.0
v4.53.0
v4.53.1
v4.53.2
v4.54.0
v4.55.0
v4.56.0
v4.56.1
v4.57.0
v4.57.1
v4.57.2
v4.57.3
v4.58.0
v4.58.1
v4.58.2
v4.58.3
v5.*
v5.0.0-alpha.1
v5.0.0-alpha.2
v5.0.0-alpha.3
v5.0.0-alpha.4
v5.0.0-alpha.5
v5.0.0-alpha.6
v5.0.0-beta.1
v5.0.0-beta.2
v5.0.0-beta.3
v5.0.0-beta.4
v5.0.0
v5.0.1
v5.0.2
v5.1.0
v5.2.0
v5.3.0
v5.4.0
v5.5.0
v5.6.0
v5.6.1
v5.6.2
v5.7.0
v5.7.1
v5.7.2
v5.7.3
v5.8.0
v5.9.0
v5.10.0
v5.11.0
v5.12.0
v5.13.0
v5.14.0
v5.15.0
v5.16.0