Vulnerability CVE-2019-16317


Published: 2019-09-14

Description:
In Pimcore before 5.7.1, an attacker with limited privileges can trigger execution of a .phar file via a phar:// URL in a filename parameter, because PHAR uploads are not blocked and are reachable within the phar://../../../../../../../../var/www/html/web/var/assets/ directory, a different vulnerability than CVE-2019-10867 and CVE-2019-16318.

Type:

CWE-502

(Deserialization of Untrusted Data)

Vendor: Pimcore
Product: Pimcore 
Version:
5.3.0
5.2.3
5.2.2
5.2.1
5.2.0
5.1.3
5.1.2
5.1.1
5.1.0
5.0.4
5.0.3
5.0.2
5.0.0
4.6.3
4.6.2
4.6.1
4.6.0
4.5.0
4.4.3
4.4.2
4.4.1
4.4.0
4.3.1
4.3.0
4.2.0
4.1.3
4.1.2
4.1.1
4.1.0
4.0.1
4.0.0
3.1.1
2.3.0
2.2.2
2.2.1
2.2.0
2.1.0
1.5.0
1.4.9
1.4.3

CVSS2 => (AV:N/AC:L/Au:S/C:P/I:P/A:P)

CVSS Base Score
Impact Subscore
Exploitability Subscore
6.5/10
6.4/10
8/10
Exploit range
Attack complexity
Authentication
Remote
Low
Single time
Confidentiality impact
Integrity impact
Availability impact
Partial
Partial
Partial

 References:
https://github.com/pimcore/pimcore/commit/6ee5d8536d0802e377594cbe39083e822710aab9
https://snyk.io/vuln/SNYK-PHP-PIMCOREPIMCORE-451599

Related CVE
CVE-2019-16318
In Pimcore before 5.7.1, an attacker with limited privileges can bypass file-extension restrictions via a 256-character filename, as demonstrated by the failure of automatic renaming of .php to .php.txt for long filenames, a different vulnerability t...
CVE-2019-10867
An issue was discovered in Pimcore before 5.7.1. An attacker with classes permission can send a POST request to /admin/class/bulk-commit, which will make it possible to exploit the unserialize function when passing untrusted values in the data parame...
CVE-2018-14059
Pimcore allows XSS via Users, Assets, Data Objects, Video Thumbnails, Image Thumbnails, Field-Collections, Objectbrick, Classification Store, Document Types, Predefined Properties, Predefined Asset Metadata, Quantity Value, and Static Routes function...
CVE-2018-14058
Pimcore before 5.3.0 allows SQL Injection via the REST web service API.
CVE-2018-14057
Pimcore before 5.3.0 allows remote attackers to conduct cross-site request forgery (CSRF) attacks by leveraging validation of the X-pimcore-csrf-token anti-CSRF token only in the "Settings > Users / Roles" function.
CVE-2015-4426
SQL injection vulnerability in pimcore before build 3473 allows remote attackers to execute arbitrary SQL commands via the filter parameter to admin/asset/grid-proxy.
CVE-2015-4425
Directory traversal vulnerability in pimcore before build 3473 allows remote authenticated users with the "assets" permission to create or write to arbitrary files via a .. (dot dot) in the dir parameter to admin/asset/add-asset-compatibility.
CVE-2014-2922
The getObjectByToken function in Newsletter.php in the Pimcore_Tool_Newsletter module in pimcore 1.4.9 through 2.1.0 does not properly handle an object obtained by unserializing a pathname, which allows remote attackers to conduct PHP object injectio...

Copyright 2019, cxsecurity.com

 

Back to Top