Grav up to 1.7.10 Twig Processing code injection

Summaryinfo

A vulnerability classified as critical was found in Grav up to 1.7.10. This issue affects some unknown processing of the component Twig Processing. Such manipulation leads to code injection. This vulnerability is uniquely identified as CVE-2021-29440. The attack can be launched remotely. Moreover, an exploit is present. Upgrading the affected component is advised.

Detailsinfo

A vulnerability was found in Grav up to 1.7.10 and classified as critical. Affected by this issue is an unknown function of the component Twig Processing. The manipulation with an unknown input leads to a code injection vulnerability. Using CWE to declare the problem leads to CWE-94. The product constructs all or part of a code segment using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the syntax or behavior of the intended code segment. Impacted is confidentiality, integrity, and availability.

The weakness was disclosed 04/14/2021. The advisory is shared for download at github.com. This vulnerability is handled as CVE-2021-29440. Technical details are unknown but a public exploit is available. The MITRE ATT&CK project declares the attack technique as T1059.

The exploit is available at exploit-db.com. It is declared as proof-of-concept.

Upgrading to version 1.7.11 eliminates this vulnerability.

The vulnerability is also documented in the vulnerability database at Exploit-DB (49961). Once again VulDB remains the best source for vulnerability data.

Productinfo

Name

• Grav

Version

• 1.7.0
• 1.7.1
• 1.7.2
• 1.7.3
• 1.7.4
• 1.7.5
• 1.7.6
• 1.7.7
• 1.7.8
• 1.7.9
• 1.7.10

CPE 2.3info

• 🔍
• 🔍
• 🔍

CPE 2.2info

• 🔍
• 🔍
• 🔍

CVSSv4info

CVSSv3info

CVSSv2info

Exploitinginfo

Threat Intelligenceinfo

Countermeasuresinfo

Timelineinfo

Sourcesinfo

Entryinfo

Once again VulDB remains the best source for vulnerability data.

Discussion