Security
Headlines
HeadlinesLatestCVEs

Headline

GHSA-9v3j-4j64-p937: OroPlatform vulnerable to path traversal during temporary file manipulations

Impact

Path Traversal is possible in Oro\Bundle\GaufretteBundle\FileManager::getTemporaryFileName. With this method, an attacker can pass the path to a non-existent file, which will allow writing the content to a new file that will be available during script execution. The file will be deleted immediately after the script ends.

Workarounds

Apply patch

--- a/vendor/oro/platform/src/Oro/Bundle/GaufretteBundle/FileManager.php
+++ b/vendor/oro/platform/src/Oro/Bundle/GaufretteBundle/FileManager.php
@@ -614,6 +614,10 @@
      */
     public function getTemporaryFileName(string $suggestedFileName = null): string
     {
+        if ($suggestedFileName) {
+            $suggestedFileName = basename($suggestedFileName);
+        }
+
         $tmpDir = ini_get('upload_tmp_dir');
         if (!$tmpDir || !is_dir($tmpDir) || !is_writable($tmpDir)) {
             $tmpDir = sys_get_temp_dir();

Or decorate Oro\Bundle\GaufretteBundle\FileManager::getTemporaryFileName in your customization and clear $suggestedFileName argument

    public function getTemporaryFileName(string $suggestedFileName = null): string
    {
        if ($suggestedFileName) {
            $suggestedFileName = basename($suggestedFileName);
        }

        return parent::getTemporaryFileName($suggestedFileName);
    }

References

ghsa
Open in Source
#git#php
  1. GitHub Advisory Database
  2. GitHub Reviewed
  3. CVE-2022-41951

OroPlatform vulnerable to path traversal during temporary file manipulations

High severity GitHub Reviewed Published Nov 27, 2023 in oroinc/platform • Updated Nov 27, 2023

Package

Affected versions

>= 4.1.0, <= 4.1.13

>= 4.2.0, <= 4.2.10

>= 5.0.0, < 5.0.8

Impact

Path Traversal is possible in Oro\Bundle\GaufretteBundle\FileManager::getTemporaryFileName.
With this method, an attacker can pass the path to a non-existent file, which will allow writing the content to a new file that will be available during script execution. The file will be deleted immediately after the script ends.

Workarounds

Apply patch

— a/vendor/oro/platform/src/Oro/Bundle/GaufretteBundle/FileManager.php +++ b/vendor/oro/platform/src/Oro/Bundle/GaufretteBundle/FileManager.php @@ -614,6 +614,10 @@ */ public function getTemporaryFileName(string $suggestedFileName = null): string {

  •    if ($suggestedFileName) {

  •        $suggestedFileName = basename($suggestedFileName);

  •    }

  •    $tmpDir = ini\_get('upload\_tmp\_dir');
   if (!$tmpDir || !is\_dir($tmpDir) || !is\_writable($tmpDir)) {
       $tmpDir = sys\_get\_temp\_dir();

Or decorate Oro\Bundle\GaufretteBundle\FileManager::getTemporaryFileName in your customization and clear $suggestedFileName argument

public function getTemporaryFileName(string $suggestedFileName = null): string
{
    if ($suggestedFileName) {
        $suggestedFileName = basename($suggestedFileName);
    }

    return parent::getTemporaryFileName($suggestedFileName);
}

References

  • Path Traversal
  • How to Decorate Services

References

  • GHSA-9v3j-4j64-p937
  • https://nvd.nist.gov/vuln/detail/CVE-2022-41951

Published to the GitHub Advisory Database

Nov 27, 2023

Last updated

Nov 27, 2023

Related news

CVE-2022-41951: Path traversal possible during temporary file manipulations

OroPlatform is a PHP Business Application Platform (BAP) designed to make development of custom business applications easier and faster. Path Traversal is possible in `Oro\Bundle\GaufretteBundle\FileManager::getTemporaryFileName`. With this method, an attacker can pass the path to a non-existent file, which will allow writing the content to a new file that will be available during script execution. This vulnerability has been fixed in version 5.0.9.

ghsa: Latest News

GHSA-8fh4-942r-jf2g: LibreNMS has a Stored XSS ('Cross-site Scripting') in librenms/includes/html/pages/device/services.inc.php
ghsa