logo

Advisories

Weaknesses

Fixes

Requirements

Compliance

CVE-2022-41951 oro/platform

Package

Manager: composer
Name: oro/platform
Vulnerable Version: >=4.1.0 <=4.1.13 || >=4.2.0 <=4.2.10 || >=5.0.0 <5.0.8

Severity

Level: High

CVSS v3.1: CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:H

CVSS v4.0: CVSS:4.0/AV:N/AC:H/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H

EPSS: 0.00414 pctl0.60799

Details

OroPlatform vulnerable to path traversal during temporary file manipulations ### Impact Path Traversal is possible in `Oro\Bundle\GaufretteBundle\FileManager::getTemporaryFileName`. With this method, an attacker can pass the path to a non-existent file, which will allow writing the content to a new file that will be available during script execution. The file will be deleted immediately after the script ends. ### Workarounds Apply patch ```patch --- a/vendor/oro/platform/src/Oro/Bundle/GaufretteBundle/FileManager.php +++ b/vendor/oro/platform/src/Oro/Bundle/GaufretteBundle/FileManager.php @@ -614,6 +614,10 @@ */ public function getTemporaryFileName(string $suggestedFileName = null): string { + if ($suggestedFileName) { + $suggestedFileName = basename($suggestedFileName); + } + $tmpDir = ini_get('upload_tmp_dir'); if (!$tmpDir || !is_dir($tmpDir) || !is_writable($tmpDir)) { $tmpDir = sys_get_temp_dir(); ``` Or decorate `Oro\Bundle\GaufretteBundle\FileManager::getTemporaryFileName` in your customization and clear `$suggestedFileName` argument ```php public function getTemporaryFileName(string $suggestedFileName = null): string { if ($suggestedFileName) { $suggestedFileName = basename($suggestedFileName); } return parent::getTemporaryFileName($suggestedFileName); } ``` ### References - [Path Traversal](https://owasp.org/www-community/attacks/Path_Traversal) - [How to Decorate Services](https://symfony.com/doc/5.4/service_container/service_decoration.html)

Metadata

Created: 2023-11-27T23:28:52Z
Modified: 2023-11-27T23:28:52Z
Source: https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2023/11/GHSA-9v3j-4j64-p937/GHSA-9v3j-4j64-p937.json
CWE IDs: ["CWE-22"]
Alternative ID: GHSA-9v3j-4j64-p937
Finding: F063
Auto approve: 1