Grav vulnerable to Server-side Template Injection (SSTI) via Denylist Bypass
CVE-2023-34253

8.8HIGH

Key Information:

Vendor

Getgrav

Status
Grav
Vendor
CVE Published:
14 June 2023

What is CVE-2023-34253?

Grav, a popular flat-file content management system, has a vulnerability that stems from an insufficient denylist implementation. This flaw allows a low-privileged user with access to the Grav Admin panel and permissions for page creation or updates to exploit the system. Attackers can inject malicious templates through various methods, including the use of unsafe functions that are not explicitly banned, exploiting capitalized callable names, or by referencing callables using fully-qualified names. This can lead to potential remote code execution. Version 1.7.42 introduces a patch that strengthens the denylist to mitigate this risk.

Affected Version(s)

grav < 1.7.42

References

https://github.com/getgrav/grav/security/advisories/GHSA-...
x_refsource_CONFIRM
https://github.com/getgrav/grav/commit/71bbed12f950de8335...
x_refsource_MISC
https://github.com/getgrav/grav/blob/1.7.40/system/src/Gr...
x_refsource_MISC

CVSS V3.1

Score:
8.8
Severity:
HIGH
Confidentiality:
High
Integrity:
High
Availability:
High
Attack Vector:
Network
Attack Complexity:
Low
Privileges Required:
Low
User Interaction:
None
Scope:
Unchanged

Timeline

  • Vulnerability published

  • Vulnerability Reserved

JSON
.