Strix
26.1K

CVE-2021-22968

HIGHCVSS 7.2/10EPSS 3.13%

Last modified

CVE-2021-22968 is a high-severity vulnerability rated 7.2/10 on the CVSS scale. A bypass of adding remote files in Concrete CMS (previously concrete5) File Manager leads to remote code execution in Concrete CMS (concrete5) versions 8.5.6 and below.The external file upload feature stages files in the public directory even if they have disallowed file extensions. They are stored in a directory with a random name, but it's possible to stall the uploads and brute force the directory name. EPSS estimates a 3.13% chance of exploitation in the next 30 days.

Description

A bypass of adding remote files in Concrete CMS (previously concrete5) File Manager leads to remote code execution in Concrete CMS (concrete5) versions 8.5.6 and below.The external file upload feature stages files in the public directory even if they have disallowed file extensions. They are stored in a directory with a random name, but it's possible to stall the uploads and brute force the directory name. You have to be an admin with the ability to upload files, but this bug gives you the ability to upload restricted file types and execute them depending on server configuration.To fix this, a check for allowed file extensions was added before downloading files to a tmp directory.Concrete CMS Security Team gave this a CVSS v3.1 score of 5.4 AV:N/AC:H/PR:H/UI:R/S:C/C:N/I:H/A:NThis fix is also in Concrete version 9.0.0

Metrics

CVSS 3.1
7.2/10

CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H

EPSS Probability
3.13%

86.2th percentile

Probability of exploitation in the next 30 days. Learn more

Weakness Enumeration

Affected Software

VendorProductVersions
ConcretecmsConcrete Cms< 8.5.7

References

Timeline

Published
Last Modified
Status
Modified

Frequently Asked Questions

What is CVE-2021-22968?
A bypass of adding remote files in Concrete CMS (previously concrete5) File Manager leads to remote code execution in Concrete CMS (concrete5) versions 8.5.6 and below.The external file upload feature stages files in the public directory even if they have disallowed file extensions. They are stored in a directory with a random name, but it's possible to stall the uploads and brute force the directory name. You have to be an admin with the ability to upload files, but this bug gives you the ability to upload restricted file types and execute them depending on server configuration.To fix this, a check for allowed file extensions was added before downloading files to a tmp directory.Concrete CMS Security Team gave this a CVSS v3.1 score of 5.4 AV:N/AC:H/PR:H/UI:R/S:C/C:N/I:H/A:NThis fix is also in Concrete version 9.0.0
How severe is CVE-2021-22968?
CVE-2021-22968 has a CVSS score of 7.2/10 (HIGH severity). The EPSS model estimates a 3.13% probability of exploitation in the next 30 days.
How do I fix CVE-2021-22968?
Check the vendor references and advisories linked above for patched versions and mitigation guidance. You can also run a Strix scan to test if your systems are affected.

Are you affected by CVE-2021-22968?

Run a free Strix scan to check your systems for this vulnerability.

Scan your code now

Source: NVD / NIST