GHSA-w9wc-4xcq-8gr6
Suggest an improvement- Source
- https://github.com/advisories/GHSA-w9wc-4xcq-8gr6
- Import Source
- https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2022/12/GHSA-w9wc-4xcq-8gr6/GHSA-w9wc-4xcq-8gr6.json
- JSON Data
- https://api.osv.dev/v1/vulns/GHSA-w9wc-4xcq-8gr6
- Aliases
- Published
- 2022-12-09T20:08:32Z
- Modified
- 2023-12-06T01:02:43.009408Z
- Severity
-
- 8.8 (High) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H CVSS Calculator
- Summary
- Akeneo PIM Community Edition vulnerable to remote php code execution
- Details
-
Impact
Akeneo PIM Community Edition versions before v5.0.119 and v6.0.53 allows remote authenticated users to execute arbitrary PHP code on the server by uploading a crafted image.
Patches
Akeneo PIM Community Edition after the versions aforementioned provides patched Apache HTTP server configuration file, for docker setup and in documentation sample, to fix this vulnerability.
Community Edition users must change their Apache HTTP server configuration accordingly to be protected. The patch for Cloud Based Akeneo PIM Services customers has been applied since 30th October 2022.Workarounds
Replace any reference to
<FilesMatch \.php$>in your apache httpd configurations with:<Location "/index.php">, as shown in https://github.com/akeneo/pim-community-dev/blob/b4d79bb073c8b68ea26ab227c97cc78d86c4cba1/docker/httpd.conf#L39.<!--
References
Are there any links users can visit to find out more?
For more information
If you have any questions or comments about this advisory: * Open an issue in example link to repo * Email us at example email address -->
- Database specific
{ "nvd_published_at": "2022-12-09T21:15:00Z", "github_reviewed_at": "2022-12-09T20:08:32Z", "severity": "HIGH", "github_reviewed": true, "cwe_ids": [ "CWE-434", "CWE-94" ] }- References
-
- https://github.com/akeneo/pim-community-dev/security/advisories/GHSA-w9wc-4xcq-8gr6
- https://nvd.nist.gov/vuln/detail/CVE-2022-46157
- https://github.com/akeneo/pim-community-dev/commit/891a2f70a9a200f199de06fe64d376d03787a81a
- https://github.com/akeneo/pim-community-dev
- https://github.com/akeneo/pim-community-dev/blob/b4d79bb073c8b68ea26ab227c97cc78d86c4cba1/docker/httpd.conf#L39
Affected packages
Packagist / akeneo/pim-community-dev
Package
- Name
- akeneo/pim-community-dev
- Purl
- pkg:composer/akeneo/pim-community-dev
Affected versions
v6.*
v6.0.0
v6.0.1
v6.0.2
v6.0.3
v6.0.4
v6.0.5
v6.0.6
v6.0.7
v6.0.8
v6.0.9
v6.0.10
v6.0.11
v6.0.12
v6.0.13
v6.0.14
v6.0.15
v6.0.16
v6.0.17
v6.0.18
v6.0.19
v6.0.20
v6.0.21
v6.0.22
v6.0.23
v6.0.24
v6.0.25
v6.0.26
v6.0.27
v6.0.28
v6.0.29
v6.0.30
v6.0.31
v6.0.32
v6.0.33
v6.0.34
v6.0.35
v6.0.36
v6.0.37
v6.0.38
v6.0.39
v6.0.40
v6.0.41
v6.0.42
v6.0.43
v6.0.44
v6.0.45
v6.0.46
v6.0.47
v6.0.48
v6.0.49
v6.0.50
v6.0.51
v6.0.52
Packagist / akeneo/pim-community-dev
Package
- Name
- akeneo/pim-community-dev
- Purl
- pkg:composer/akeneo/pim-community-dev
Affected ranges
- Type
- ECOSYSTEM
- Events
-
Introduced0Unknown introduced version / All previous versions are affectedFixed5.0.119
Affected versions
v1.*
v1.0.0-ALPHA1
v1.0.0-BETA1
v1.0.0-ALPHA2
v1.0.0-BETA2
v1.0.0-ALPHA3
v1.0.0-BETA3
v1.0.0-ALPHA4
v1.0.0-BETA4
v1.0.0-RC1
v1.0.0
v1.0.1
v1.0.2
v1.0.3
v1.1.0-RC1
v1.1.0-RC2
v1.1.0-RC3
v1.1.0
v1.1.1
v1.1.2
v1.1.3
v1.2.0-BETA1
v1.2.0-BETA2
v1.2.0-RC1
v1.2.0-RC2
v1.2.0-RC3
v1.2.0-RC4
v1.2.0
v1.2.1
v1.2.2
v1.2.3
v1.2.4
v1.2.5
v1.2.6
v1.2.7
v1.2.8
v1.2.9
v1.2.10
v1.2.11
v1.2.12
v1.2.13
v1.2.14
v1.2.15
v1.2.16
v1.2.17
v1.2.18
v1.2.19
v1.2.20
v1.2.21
v1.2.22
v1.2.23
v1.2.24
v1.2.25
v1.2.26
v1.2.27
v1.2.28
v1.2.29
v1.2.30
v1.2.31
v1.2.32
v1.2.33
v1.2.34
v1.2.35
v1.2.36
v1.2.37
v1.3.0-BETA1
v1.3.0-RC1
v1.3.0-RC2
v1.3.0-RC3
v1.3.0
v1.3.1
v1.3.2
v1.3.3
v1.3.4
v1.3.5
v1.3.6
v1.3.7
v1.3.8
v1.3.9
v1.3.10
v1.3.11
v1.3.12
v1.3.13
v1.3.14
v1.3.15
v1.3.16
v1.3.17
v1.3.18
v1.3.19
v1.3.20
v1.3.21
v1.3.22
v1.3.23
v1.3.24
v1.3.25
v1.3.26
v1.3.27
v1.3.28
v1.3.29
v1.3.31
v1.3.32
v1.3.33
v1.3.34
v1.3.35
v1.3.36
v1.3.37
v1.3.38
v1.3.39
v1.3.40
v1.3.41
v1.4.0-ALPHA1
v1.4.0-BETA1
v1.4.0-BETA2
v1.4.0-BETA3
v1.4.0-RC1
v1.4.0
v1.4.1
v1.4.2
v1.4.3
v1.4.4
v1.4.5
v1.4.6
v1.4.7
v1.4.8
v1.4.9
v1.4.10
v1.4.11
v1.4.12
v1.4.13
v1.4.14
v1.4.15
v1.4.16
v1.4.17
v1.4.18
v1.4.19
v1.4.20
v1.4.21
v1.4.22
v1.4.23
v1.4.24
v1.4.25
v1.4.26
v1.4.27
v1.4.28
v1.5.0-ALPHA1
v1.5.0-BETA1
v1.5.0-RC1
v1.5.0
v1.5.1
v1.5.2
v1.5.3
v1.5.4
v1.5.5
v1.5.6
v1.5.7
v1.5.8
v1.5.9
v1.5.10
v1.5.11
v1.5.12
v1.5.13
v1.5.14
v1.5.15
v1.5.16
v1.5.17
v1.5.18
v1.5.19
v1.5.20
v1.5.21
v1.5.22
v1.5.23
v1.5.24
v1.5.25
v1.5.26
v1.5.27
v1.6.0-ALPHA1
v1.6.0-ALPHA2
v1.6.0-RC1
v1.6.0
v1.6.1
v1.6.2
v1.6.3
v1.6.4
v1.6.5
v1.6.6
v1.6.7
v1.6.8
v1.6.9
v1.6.10
v1.6.11
v1.6.12
v1.6.13
v1.6.14
v1.6.15
v1.6.16
v1.6.17
v1.6.18
v1.6.19
v1.6.20
v1.6.21
v1.6.22
v1.6.23
v1.7.0-ALPHA1
v1.7.0-BETA1
v1.7.0-BETA2
v1.7.0
v1.7.1
v1.7.2
v1.7.3
v1.7.4
v1.7.5
v1.7.6
v1.7.7
v1.7.8
v1.7.9
v1.7.10
v1.7.11
v1.7.12
v1.7.13
v1.7.14
v1.7.15
v1.7.16
v1.7.17
v1.7.18
v1.7.19
v1.7.20
v1.7.21
v1.7.22
v1.7.23
v1.7.24
v1.7.25
v1.7.26
v1.7.27
v1.7.28
v1.7.29
v1.7.30
v1.7.31
v1.7.32
v1.7.33
v1.7.34
v1.7.35
v1.7.36
v1.7.37
v1.7.38
v1.7.39
v1.7.40
v1.7.41
1.*
1.3.30
v2.*
v2.0.0-ALPHA1
v2.0.0-BETA1
v2.0.0
v2.0.1
v2.0.2
v2.0.3
v2.0.4
v2.0.5
v2.0.6
v2.0.7
v2.0.8
v2.0.9
v2.0.10
v2.0.11
v2.0.12
v2.0.13
v2.0.14
v2.0.15
v2.0.16
v2.0.17
v2.0.18
v2.0.19
v2.0.20
v2.0.21
v2.0.22
v2.0.23
v2.0.24
v2.0.25
v2.0.26
v2.0.27
v2.0.28
v2.0.29
v2.0.30
v2.0.31
v2.0.32
v2.0.33
v2.0.34
v2.0.35
v2.0.36
v2.0.37
v2.0.38
v2.0.39
v2.0.40
v2.0.41
v2.0.42
v2.0.43
v2.0.44
v2.0.45
v2.0.46
v2.0.47
v2.0.48
v2.0.49
v2.0.50
v2.0.51
v2.0.52
v2.1.0-ALPHA1
v2.1.0-ALPHA2
v2.1.0
v2.1.1
v2.1.2
v2.1.3
v2.1.4
v2.1.5
v2.1.6
v2.1.7
v2.1.8
v2.1.9
v2.2.0-ALPHA0
v2.2.0-ALPHA1
v2.2.0-BETA1
v2.2.0-ALPHA2
v2.2.0
v2.2.1
v2.2.2
v2.2.3
v2.2.4
v2.2.5
v2.2.6
v2.2.7
v2.2.8
v2.2.9
v2.2.10
v2.2.11
v2.2.12
v2.3.0-ALPHA1
v2.3.0-BETA1
v2.3.0-ALPHA2
v2.3.0
v2.3.1
v2.3.2
v2.3.3
v2.3.4
v2.3.5
v2.3.6
v2.3.7
v2.3.8
v2.3.9
v2.3.10
v2.3.11
v2.3.12
v2.3.13
v2.3.14
v2.3.15
v2.3.16
v2.3.17
v2.3.18
v2.3.19
v2.3.20
v2.3.21
v2.3.22
v2.3.23
v2.3.24
v2.3.25
v2.3.26
v2.3.27
v2.3.28
v2.3.29
v2.3.30
v2.3.31
v2.3.32
v2.3.33
v2.3.34
v2.3.35
v2.3.36
v2.3.37
v2.3.38
v2.3.39
v2.3.40
v2.3.41
v2.3.42
v2.3.43
v2.3.44
v2.3.45
v2.3.46
v2.3.47
v2.3.48
v2.3.49
v2.3.50
v2.3.51
v2.3.52
v2.3.53
v2.3.54
v2.3.55
v2.3.56
v2.3.57
v2.3.58
v2.3.59
v2.3.60
v2.3.61
v2.3.62
v2.3.63
v2.3.64
v2.3.65
v2.3.66
v2.3.67
v2.3.68
v2.3.69
v2.3.70
v2.3.71
v2.3.72
v2.3.73
v2.3.74
v2.3.75
v2.3.76
v2.3.77
v2.3.78
v3.*
v3.0.0
v3.0.1
v3.0.2
v3.0.3
v3.0.4
v3.0.5
v3.0.6
v3.0.7
v3.0.8
v3.0.9
v3.0.10
v3.0.11
v3.0.12
v3.0.13
v3.0.14
v3.0.15
v3.0.16
v3.0.17
v3.0.18
v3.0.19
v3.0.20
v3.0.21
v3.0.22
v3.0.23
v3.0.24
v3.0.25
v3.0.26
v3.0.27
v3.0.28
v3.0.29
v3.0.30
v3.0.31
v3.0.32
v3.0.33
v3.0.34
v3.0.35
v3.0.36
v3.0.37
v3.0.38
v3.0.39
v3.0.40
v3.0.41
v3.0.42
v3.0.43
v3.0.44
v3.0.45
v3.0.46
v3.0.47
v3.0.48
v3.0.49
v3.0.50
v3.0.51
v3.0.52
v3.0.53
v3.0.54
v3.0.55
v3.0.56
v3.0.57
v3.0.58
v3.0.59
v3.0.60
v3.0.61
v3.0.62
v3.0.63
v3.0.64
v3.0.65
v3.0.66
v3.0.67
v3.0.68
v3.0.69
v3.0.70
v3.0.71
v3.0.72
v3.0.73
v3.0.74
v3.0.75
v3.0.76
v3.0.77
v3.0.78
v3.0.79
v3.0.80
v3.0.81
v3.0.82
v3.0.83
v3.0.84
v3.1.0-BETA1
v3.1.0
v3.1.1
v3.1.2
v3.1.3
v3.1.4
v3.1.5
v3.1.6
v3.1.7
v3.1.8
v3.1.9
v3.1.10
v3.1.11
v3.1.12
v3.1.13
v3.1.14
v3.1.15
v3.1.16
v3.1.17
v3.1.18
v3.2.0-BETA1
v3.2.0-BETA2
v3.2.0-BETA3
v3.2.0
v3.2.1
v3.2.2
v3.2.3
v3.2.4
v3.2.5
v3.2.6
v3.2.7
v3.2.8
v3.2.9
v3.2.10
v3.2.11
v3.2.12
v3.2.13
v3.2.14
v3.2.15
v3.2.16
v3.2.17
v3.2.18
v3.2.19
v3.2.20
v3.2.21
v3.2.22
v3.2.23
v3.2.24
v3.2.25
v3.2.26
v3.2.27
v3.2.28
v3.2.29
v3.2.30
v3.2.31
v3.2.32
v3.2.33
v3.2.34
v3.2.35
v3.2.36
v3.2.37
v3.2.38
v3.2.39
v3.2.40
v3.2.41
v3.2.42
v3.2.43
v3.2.44
v3.2.45
v3.2.46
v3.2.47
v3.2.48
v3.2.49
v3.2.50
v3.2.51
v3.2.52
v3.2.53
v3.2.54
v3.2.55
v3.2.56
v3.2.57
v3.2.58
v3.2.59
v3.2.60
v3.2.61
v3.2.62
v3.2.63
v3.2.64
v3.2.65
v3.2.66
v3.2.67
v3.2.68
v3.2.69
v3.2.70
v3.2.71
v3.2.72
v3.2.73
v3.2.74
v3.2.75
v3.2.76
v3.2.77
v3.2.78
v3.2.79
v3.2.80
v3.2.81
v3.2.82
v3.2.83
v3.2.84
v4.*
v4.0.0
v4.0.1
v4.0.2
v4.0.3
v4.0.4
v4.0.5
v4.0.6
v4.0.7
v4.0.8
v4.0.9
v4.0.10
v4.0.11
v4.0.12
v4.0.13
v4.0.14
v4.0.15
v4.0.16
v4.0.17
v4.0.18
v4.0.19
v4.0.20
v4.0.21
v4.0.22
v4.0.23
v4.0.24
v4.0.25
v4.0.26
v4.0.27
v4.0.28
v4.0.29
v4.0.30
v4.0.31
v4.0.32
v4.0.33
v4.0.34
v4.0.35
v4.0.36
v4.0.37
v4.0.38
v4.0.39
v4.0.40
v4.0.41
v4.0.42
v4.0.43
v4.0.44
v4.0.45
v4.0.46
v4.0.47
v4.0.48
v4.0.49
v4.0.50
v4.0.51
v4.0.52
v4.0.53
v4.0.54
v4.0.55
v4.0.56
v4.0.57
v4.0.58
v4.0.59
v4.0.60
v4.0.61
v4.0.62
v4.0.63
v4.0.64
v4.0.65
v4.0.66
v4.0.67
v4.0.68
v4.0.69
v4.0.70
v4.0.71
v4.0.72
v4.0.73
v4.0.74
v4.0.75
v4.0.76
v4.0.77
v4.0.78
v4.0.79
v4.0.80
v4.0.81
v4.0.82
v4.0.83
v4.0.84
v4.0.85
v4.0.86
v4.0.87
v4.0.88
v4.0.89
v4.0.90
v4.0.91
v4.0.92
v4.0.93
v4.0.94
v4.0.95
v4.0.96
v4.0.97
v4.0.98
v4.0.99
v4.0.100
v4.0.101
v4.0.102
v4.0.103
v4.0.104
v4.0.105
v4.0.106
v4.0.107
v4.0.108
v4.0.109
v4.0.110
v4.0.111
v4.0.112
v4.0.113
v4.0.114
v4.0.115
v4.0.116
v4.0.117
v4.0.118
v4.0.119
v4.0.120
v4.0.121
v4.0.122
v4.0.123
v4.0.124
v4.0.125
v4.0.126
v5.*
v5.0.0
v5.0.1
v5.0.2
v5.0.3
v5.0.4
v5.0.5
v5.0.6
v5.0.7
v5.0.8
v5.0.9
v5.0.10
v5.0.11
v5.0.12
v5.0.13
v5.0.14
v5.0.15
v5.0.16
v5.0.17
v5.0.18
v5.0.19
v5.0.20
v5.0.21
v5.0.22
v5.0.23
v5.0.24
v5.0.25
v5.0.26
v5.0.27
v5.0.28
v5.0.29
v5.0.30
v5.0.31
v5.0.32
v5.0.33
v5.0.34
v5.0.35
v5.0.36
v5.0.37
v5.0.38
v5.0.39
v5.0.40
v5.0.41
v5.0.42
v5.0.43
v5.0.44
v5.0.45
v5.0.46
v5.0.47
v5.0.48
v5.0.49
v5.0.50
v5.0.51
v5.0.52
v5.0.53
v5.0.54
v5.0.55
v5.0.56
v5.0.57
v5.0.58
v5.0.59
v5.0.60
v5.0.61
v5.0.62
v5.0.63
v5.0.64
v5.0.65
v5.0.66
v5.0.67
v5.0.68
v5.0.69
v5.0.70
v5.0.71
v5.0.72
v5.0.73
v5.0.74
v5.0.75
v5.0.76
v5.0.77
v5.0.78
v5.0.79
v5.0.80
v5.0.81
v5.0.82
v5.0.83
v5.0.84
v5.0.85
v5.0.86
v5.0.87
v5.0.88
v5.0.89
v5.0.90
v5.0.91
v5.0.92
v5.0.93
v5.0.94
v5.0.95
v5.0.96
v5.0.97
v5.0.98
v5.0.99
v5.0.100
v5.0.101
v5.0.102
v5.0.103
v5.0.104
v5.0.105
v5.0.106
v5.0.107
v5.0.108
v5.0.109
v5.0.110
v5.0.111
v5.0.112
v5.0.113
v5.0.114
v5.0.115
v5.0.116
v5.0.117
v5.0.118