CVE-2022-25337 – ezsystems/ezpublish-kernel

Package

Manager: composer
Name: ezsystems/ezpublish-kernel
Vulnerable Version: >=7.5.0 <7.5.26

Severity

Level: Critical

CVSS v3.1: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

EPSS: 0.00891 pctl0.74665

Details

Code injection in ezsystems/ezpublish-kernel When image files are uploaded, they are made accessible under a name similar to the original file name. There are two issues with this. Both require access to uploading images in order to exploit them, this limits the impact. The first issue is that certain injection attacks can be possible, since not all possible attack vectors are removed from the original file name. The second issue is that direct access to the images is not access controlled. This is by design, for performance reasons, and documented as such. But it does mean that images not meant to be publicly accessible can be accessed, provided that the image path and filename is correctly deduced and/or guessed, through dictionary attacks and similar.

Metadata

Created: 2022-02-19T00:01:25Z
Modified: 2022-03-04T21:37:26Z
Source: https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2022/02/GHSA-xwv6-v7qx-f5jc/GHSA-xwv6-v7qx-f5jc.json
CWE IDs: ["CWE-74"]
Alternative ID: GHSA-xwv6-v7qx-f5jc
Finding: F184
Auto approve: 1