CVE-2022-41951: Path traversal possible during temporary file manipulations

Package

Affected versions

>=4.1.0, <4.1.14 || >=4.2.0, <4.2.11 || >=5.0.0, <5.0.8

Impact

Path Traversal is possible in Oro\Bundle\GaufretteBundle\FileManager::getTemporaryFileName.
With this method, an attacker can pass the path to a non-existent file, which will allow writing the content to a new file that will be available during script execution. The file will be deleted immediately after the script ends.

Workarounds

Apply patch

— a/vendor/oro/platform/src/Oro/Bundle/GaufretteBundle/FileManager.php +++ b/vendor/oro/platform/src/Oro/Bundle/GaufretteBundle/FileManager.php @@ -614,6 +614,10 @@ */ public function getTemporaryFileName(string $suggestedFileName = null): string {

•    if ($suggestedFileName) {
  

•        $suggestedFileName = basename($suggestedFileName);
  

•    }
  

•    $tmpDir = ini\_get('upload\_tmp\_dir');
     if (!$tmpDir || !is\_dir($tmpDir) || !is\_writable($tmpDir)) {
         $tmpDir = sys\_get\_temp\_dir();
  

Or decorate Oro\Bundle\GaufretteBundle\FileManager::getTemporaryFileName in your customization and clear $suggestedFileName argument

public function getTemporaryFileName(string $suggestedFileName = null): string
{
    if ($suggestedFileName) {
        $suggestedFileName = basename($suggestedFileName);
    }

    return parent::getTemporaryFileName($suggestedFileName);
}

References

• Path Traversal
• How to Decorate Services