Headline
CVE-2023-2336: [Security] Admin Authenticated Arbitrary File Read (#14974) · pimcore/pimcore@498cade
Path Traversal in GitHub repository pimcore/pimcore prior to 10.5.21.
Skip to content
Actions
Automate any workflow
Packages
Host and manage packages
Security
Find and fix vulnerabilities
Codespaces
Instant dev environments
Copilot
Write better code with AI
Code review
Manage code changes
Issues
Plan and track work
Discussions
Collaborate outside of code
GitHub Sponsors
Fund open source developers
* The ReadME Project
GitHub community articles
Pricing
Notifications
Fork 1.3k
Code
Issues 604
Pull requests 55
Discussions
Actions
Security
Insights
Permalink
Browse files
Browse the repository at this point in the history
[Security] Admin Authenticated Arbitrary File Read (#14974)
* Fix: disable asset importFromServer for users
* Doc: Add Upgrade Notes
- Loading branch information
Showing 3 changed files with 9 additions and 1 deletion.
- AssetController.php
- tree.js
- README.md
4 changes: 4 additions & 0 deletions bundles/AdminBundle/Controller/Admin/Asset/AssetController.php
Expand Up
@@ -2459,6 +2459,10 @@ public function importServerAction(Request $request)
*/
public function importServerFilesAction(Request $request)
{
if(!Tool\Admin::getCurrentUser()->isAdmin()) {
throw $this->createAccessDeniedException(‘Permission denied. You don\’t have the rights to import files from the server!’);
}
$assetFolder = Asset::getById((int) $request->get(‘parentId’));
if (!$assetFolder) {
throw $this->createNotFoundException(‘Parent asset not found’);
Expand Down
2 changes: 1 addition & 1 deletion bundles/AdminBundle/Resources/public/js/pimcore/asset/tree.js
Expand Up
@@ -594,7 +594,7 @@ pimcore.asset.tree = Class.create({
});
}
if (perspectiveCfg.inTreeContextMenu(“asset.add.importFromServer”)) {
if (perspectiveCfg.inTreeContextMenu(“asset.add.importFromServer”) && pimcore.currentuser.admin) {
menuItems.push({
text: t(“import_from_server”),
handler: this.importFromServer.bind(this, tree, record),
Expand Down
@@ -1,8 +1,12 @@
Upgrade Notes
10.5.21
- [Assets] The Asset `Import from Server` feature is now only available for admins. It will be removed in Pimcore 11
10.5.13
- [Web2Print] Print document twig expressions are now executed in a sandbox with restrictive security policies (just like Sending mails and Dataobject Text Layouts introduced in 10.5.9).
10.5.10
- [DataObject] Deprecated: Loading non-Concrete objects with the Concrete class will not be possible in Pimcore 11.
Expand Down
0 comments on commit 498cade
Please sign in to comment.
Related news
### Impact An authenticated attacker can abuse import-server-files with a path traversal to download an arbitrary file from the server An arbitrary file read vulnerability allows an attacker to read files on the server that they should not have access to, potentially including sensitive files such as configuration files, user data, and credentials. This can result in the exposure of confidential information, which can be used to launch further attacks or compromise the system. ### Patches Update to version 10.5.21 or apply this patch manually https://github.com/pimcore/pimcore/commit/498cadec2292f7842fb10612068ac78496e884b4.patch ### Workarounds Apply patch https://github.com/pimcore/pimcore/commit/498cadec2292f7842fb10612068ac78496e884b4.patch manually. ### References https://huntr.dev/bounties/af764624-7746-4f53-8480-85348dbb4f14/