Headline
CVE-2023-2756: [Bug]: Fix Inheritable Segment query (#460) · pimcore/customer-data-framework@76df151
SQL Injection in GitHub repository pimcore/customer-data-framework prior to 3.3.10.
Expand Up
@@ -50,12 +50,17 @@ public static function getSubscribedServices()
*/
public function inheritableSegments(Request $request, SegmentManagerInterface $segmentManager)
{
$id = $request->get(‘id’) ?? '’;
$type = $request->get(‘type’) ?? '’;
$id = $request->get(‘id’);
$type = $request->get(‘type’);
if (!$type || !$id) {
return $this->adminJson([‘data’ => []]);
}
$db = \Pimcore\Db::get();
$parentIdStatement = sprintf('SELECT `%s` FROM `%s` WHERE `%s` = :value’, $type === ‘object’ ? ‘o_parentId’ : 'parentId’, $type.’s’, $type === ‘object’ ? ‘o_id’ : ‘id’);
$parentIdStatement = sprintf('SELECT :parentIdField FROM %s WHERE :idField = :value’, $db->quoteIdentifier($type . ‘s’));
$parentId = $db->fetchOne($parentIdStatement, [
‘parentIdField’ => $type === ‘object’ ? ‘o_parentId’ : 'parentId’,
‘idField’ => $type === ‘object’ ? ‘o_id’ : 'id’,
‘value’ => $id
]);
Expand Down
Related news
### Impact An administrator user can use the inheritable segments feature to execute his own blind SQL queries. A user with administrator privileges can run any SQL query on database. This can be used to retrieve sensitive data, change database information or any other malicious activity against the database. ### Patches Update to version 3.3.10 or apply this patch manually https://github.com/pimcore/customer-data-framework/commit/76df151737b7964ce5169fdf9e27a0ad801757fe.patch ### Workarounds Apply https://github.com/pimcore/customer-data-framework/commit/76df151737b7964ce5169fdf9e27a0ad801757fe.patch manually. ### References https://huntr.dev/bounties/cf398528-819f-456e-88e7-c06d268d3f44/