CVE-2021-43836

Published: Dic 15, 2021 Last Modified: Nov 21, 2024 EU-VD ID: EUVD-2021-2597 Aliases: GHSA-vx6j-pjrh-vgjh
ExploitDB:
Other exploit source:
Google Dorks:
HIGH 8,5
Source: [email protected]
Attack Vector: network
Attack Complexity: high
Privileges Required: low
User Interaction: none
Scope: changed
Confidentiality: high
Integrity: high
Availability: high
MEDIUM 6,5
Source: [email protected]
Access Vector: network
Access Complexity: low
Authentication: single
Confidentiality: partial
Integrity: partial
Availability: partial

Description

AI Translation Available

Sulu is an open-source PHP content management system based on the Symfony framework. In affected versions an attacker can read arbitrary local files via a PHP file include. In a default configuration this also leads to remote code execution. The problem is patched with the Versions 1.6.44, 2.2.18, 2.3.8, 2.4.0. For users unable to upgrade overwrite the service `sulu_route.generator.expression_token_provider` and wrap the translator before passing it to the expression language.

EPSS (Exploit Prediction Scoring System)

Trend Analysis

EPSS (Exploit Prediction Scoring System)

Prevede la probabilità di sfruttamento basata su intelligence sulle minacce e sulle caratteristiche della vulnerabilità.

EPSS Score
0,0429
Percentile
0,9th
Updated

EPSS Score Trend (Last 91 Days)

22

Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')

Stable
Abstraction: Base Structure: Simple
Common Consequences
Security Scopes Affected:
Integrity Confidentiality Availability
Potential Impacts:
Execute Unauthorized Code Or Commands Modify Files Or Directories Read Files Or Directories Dos: Crash, Exit, Or Restart
Applicable Platforms
Technologies: AI/ML
Likelihood of Exploit: High
View CWE Details
Application

Sulu by Sulu

Product Information
Vendor Sulu
Product Sulu
Version 2.4.0
cpe:2.3:a:sulu:sulu:2.4.0:rc1:*:*:*:*:*:*
Common Platform Enumeration - Standardized vulnerability identification
Application

Sulu by Sulu

Product Information
Vendor Sulu
Product Sulu
Version Range Affected
From 2.3.0 (inclusive)
To 2.3.8 (exclusive)
cpe:2.3:a:sulu:sulu:*:*:*:*:*:*:*:*
Common Platform Enumeration - Standardized vulnerability identification
Application

Sulu by Sulu

Product Information
Vendor Sulu
Product Sulu
Version Range Affected
From 2.0.0 (inclusive)
To 2.2.18 (exclusive)
cpe:2.3:a:sulu:sulu:*:*:*:*:*:*:*:*
Common Platform Enumeration - Standardized vulnerability identification
Application

Sulu by Sulu

Product Information
Vendor Sulu
Product Sulu
Version Range Affected
To 1.6.44 (exclusive)
cpe:2.3:a:sulu:sulu:*:*:*:*:*:*:*:*
Common Platform Enumeration - Standardized vulnerability identification
https://github.com/sulu/sulu/commit/9c948f9ce350c68b53af8c3…
Patch Third Party Advisory
https://github.com/sulu/sulu/commit/9c948f9ce350c68b53af8c3910e2cefc7f722b54
https://github.com/sulu/sulu/security/advisories/GHSA-vx6j-…
Third Party Advisory
https://github.com/sulu/sulu/security/advisories/GHSA-vx6j-pjrh-vgjh
https://github.com/sulu/sulu/commit/9c948f9ce350c68b53af8c3…
Patch Third Party Advisory
https://github.com/sulu/sulu/commit/9c948f9ce350c68b53af8c3910e2cefc7f722b54
https://github.com/sulu/sulu/security/advisories/GHSA-vx6j-…
Third Party Advisory
https://github.com/sulu/sulu/security/advisories/GHSA-vx6j-pjrh-vgjh