CVE-2024-52291: Local File System Validation Bypass Leading to File Overwrite, Sensitive File Access, and Potential Code Execution

November 13, 2024

A vulnerability in CraftCMS allows an attacker to bypass local file system validation by utilizing a double file:// scheme (e.g., file://file:////). This enables the attacker to specify sensitive folders as the file system, leading to potential file overwriting through malicious uploads, unauthorized access to sensitive files, and, under certain conditions, remote code execution (RCE) via Server-Side Template Injection (SSTI) payloads.

Note that this will only work if you have an authenticated administrator account with allowAdminChanges enabled

References

github.com/advisories/GHSA-jrh5-vhr9-qh7q
github.com/craftcms/cms
github.com/craftcms/cms/security/advisories/GHSA-jrh5-vhr9-qh7q
nvd.nist.gov/vuln/detail/CVE-2024-52291

Code Behaviors & Features

Detect and mitigate CVE-2024-52291 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →