CVE-2020-15099 – typo3/cms-core

Package

Manager: composer
Name: typo3/cms-core
Vulnerable Version: >=9.0.0 <9.5.20 || >=10.0.0 <10.4.6

Severity

Level: High

CVSS v3.1: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H

CVSS v4.0: CVSS:4.0/AV:N/AC:H/AT:P/PR:N/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H

EPSS: 0.01187 pctl0.78009

Details

Exposure of Sensitive Information to an Unauthorized Actor in TYPO3 CMS > ### Meta > * CVSS: `CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H/E:F/RL:O/RC:C` (7.5) > * CWE-20, CWE-200 ### Problem In case an attacker manages to generate a valid cryptographic message authentication code (HMAC-SHA1) - either by using a different existing vulnerability or in case the internal _encryptionKey_ was exposed - it is possible to retrieve arbitrary files of a TYPO3 installation. This includes the possibility to fetch _typo3conf/LocalConfiguration.php_ which again contains the _encryptionKey_ as well as credentials of the database management system being used. In case a database server is directly accessible either via internet or in a shared hosting network, this allows to completely retrieve, manipulate or delete database contents. This includes creating an administration user account - which can be used to trigger remote code execution by injecting custom extensions. ### Solution Update to TYPO3 versions 9.5.20 or 10.4.6 that fix the problem described. ### Credits Thanks to TYPO3 security team member Oliver Hader who reported and fixed the issue. ### References * [TYPO3-CORE-SA-2020-007](https://typo3.org/security/advisory/typo3-core-sa-2020-007)

Metadata

Created: 2020-07-29T16:15:32Z
Modified: 2021-10-08T20:36:13Z
Source: https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2020/07/GHSA-3x94-fv5h-5q2c/GHSA-3x94-fv5h-5q2c.json
CWE IDs: ["CWE-20", "CWE-200"]
Alternative ID: GHSA-3x94-fv5h-5q2c
Finding: F038
Auto approve: 1