CVE-2019-10867
published 2019-04-04CVE-2019-10867: An issue was discovered in Pimcore before 5.7.1. An attacker with classes permission can send a POST request to /admin/class/bulk-commit, which will make it…
PriorityP277high8.8CVSS 3.0
AVNACLPRLUINSUCHIHAH
EXPLOIT
EPSS
69.36%
99.3th percentile
An issue was discovered in Pimcore before 5.7.1. An attacker with classes permission can send a POST request to /admin/class/bulk-commit, which will make it possible to exploit the unserialize function when passing untrusted values in the data parameter to bundles/AdminBundle/Controller/Admin/DataObject/ClassController.php.
Affected
2 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| pimcore | pimcore | < 5.7.1 | 5.7.1 |
| pimcore | pimcore | >= 0 < 5.7.1 | 5.7.1 |
Detection & IOCsextracted from sources · hover to see the quote
- →Alert on HTTP requests to /admin/class/bulk-commit containing the Symfony ApcuAdapter serialized object prefix 'O:43:"Symfony\Component\Cache\Adapter\ApcuAdapter"' in POST body. ↗
- →Look for the custom request header 'X-pimcore-csrf-token' combined with POST to /admin/class/bulk-commit as an indicator of scripted/automated exploitation. ↗
- →Detect base64-encoded PHP eval payloads in POST body parameters sent to Pimcore admin endpoints, consistent with the exploit's code execution stage. ↗
- ·Exploitation requires an authenticated session with 'classes' permission — unauthenticated exploitation is not possible; detections should account for the prior login step to /admin/login/login. ↗
- ·Two distinct unserialize gadget chains are used depending on Pimcore version: Symfony payload for 5.x (5.4.0–5.6.6) and Zend payload for 4.x (4.0.0–4.6.5); detection rules should cover both branches. ↗
- ·The fix is available in Pimcore 5.7.1; instances running any version before 5.7.1 (and all 4.x) remain vulnerable. ↗
CVSS provenance
nvdv3.08.8HIGHCVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
nvdv2.06.5MEDIUMAV:N/AC:L/Au:S/C:P/I:P/A:P
ghsa8.8HIGH
osv8.8HIGH
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
Pimcore RCE via PHAR upload
ghsa·2022-05-24·CVSS 8.8
CVE-2019-16317 [HIGH] CWE-502 Pimcore RCE via PHAR upload
Pimcore RCE via PHAR upload
In Pimcore before 5.7.1, an attacker with limited privileges can trigger execution of a .phar file via a `phar://` URL in a filename parameter, because PHAR uploads are not blocked and are reachable within the `phar://../../../../../../../../var/www/html/web/var/assets/` directory, a different vulnerability than CVE-2019-10867 and CVE-2019-16318.
OSV
Pimcore Unrestricted Upload of File with Dangerous Type
osv·2022-05-24·CVSS 8.8
CVE-2019-16318 [HIGH] Pimcore Unrestricted Upload of File with Dangerous Type
Pimcore Unrestricted Upload of File with Dangerous Type
In Pimcore before 5.7.1, an attacker with limited privileges can bypass file-extension restrictions via a 256-character filename, as demonstrated by the failure of automatic renaming of .php to .php.txt for long filenames, a different vulnerability than CVE-2019-10867 and CVE-2019-16317.
OSV
Pimcore RCE via PHAR upload
osv·2022-05-24·CVSS 8.8
CVE-2019-16317 [HIGH] Pimcore RCE via PHAR upload
Pimcore RCE via PHAR upload
In Pimcore before 5.7.1, an attacker with limited privileges can trigger execution of a .phar file via a `phar://` URL in a filename parameter, because PHAR uploads are not blocked and are reachable within the `phar://../../../../../../../../var/www/html/web/var/assets/` directory, a different vulnerability than CVE-2019-10867 and CVE-2019-16318.
GHSA
Pimcore Unrestricted Upload of File with Dangerous Type
ghsa·2022-05-24·CVSS 8.8
CVE-2019-16318 [HIGH] CWE-434 Pimcore Unrestricted Upload of File with Dangerous Type
Pimcore Unrestricted Upload of File with Dangerous Type
In Pimcore before 5.7.1, an attacker with limited privileges can bypass file-extension restrictions via a 256-character filename, as demonstrated by the failure of automatic renaming of .php to .php.txt for long filenames, a different vulnerability than CVE-2019-10867 and CVE-2019-16317.
OSV
Pimcore Unserialize Remote Code Execution
osv·2022-05-13
CVE-2019-10867 [HIGH] Pimcore Unserialize Remote Code Execution
Pimcore Unserialize Remote Code Execution
An issue was discovered in Pimcore before 5.7.1. An attacker with classes permission can send a POST request to `/admin/class/bulk-commit`, which will make it possible to exploit the unserialize function when passing untrusted values in the data parameter to `bundles/AdminBundle/Controller/Admin/DataObject/ClassController.php`.
GHSA
Pimcore Unserialize Remote Code Execution
ghsa·2022-05-13
CVE-2019-10867 [HIGH] CWE-502 Pimcore Unserialize Remote Code Execution
Pimcore Unserialize Remote Code Execution
An issue was discovered in Pimcore before 5.7.1. An attacker with classes permission can send a POST request to `/admin/class/bulk-commit`, which will make it possible to exploit the unserialize function when passing untrusted values in the data parameter to `bundles/AdminBundle/Controller/Admin/DataObject/ClassController.php`.
No detection rules found.
Exploit-DB
Pimcore < 5.71 - Unserialize Remote Code Execution (Metasploit)
exploitdb·2019-04-30
CVE-2019-10867 Pimcore < 5.71 - Unserialize Remote Code Execution (Metasploit)
Pimcore "Pimcore Unserialize RCE",
'Description' => %q(
This module exploits a PHP unserialize() in Pimcore before 5.7.1 to
execute arbitrary code. An authenticated user with "classes" permission
could exploit the vulnerability.
The vulnerability exists in the "ClassController.php" class, where the
"bulk-commit" method makes it possible to exploit the unserialize function
when passing untrusted values in "data" parameter.
Tested on Pimcore 5.4.0-5.4.4, 5.5.1-5.5.4, 5.6.0-5.6.6 with the Symfony
unserialize payload.
Tested on Pimcore 4.0.0-4.6.5 with the Zend unserialize payload.
),
'License' => MSF_LICENSE,
'Author' =>
[
'Daniele Scanu', # Discovery & PoC
'Fabio Cogno' # Metasploit module
],
'References' =>
[
['CVE', '2019-10867'],
['URL', 'https://github.com/pimcore/pimcore/commit/38a29
Metasploit
Pimcore Unserialize RCE
metasploit
Pimcore Unserialize RCE
Pimcore Unserialize RCE
This module exploits a PHP unserialize() in Pimcore before 5.7.1 to execute arbitrary code. An authenticated user with "classes" permission could exploit the vulnerability. The vulnerability exists in the "ClassController.php" class, where the "bulk-commit" method makes it possible to exploit the unserialize function when passing untrusted values in "data" parameter. Tested on Pimcore 5.4.0-5.4.4, 5.5.1-5.5.4, 5.6.0-5.6.6 with the Symfony unserialize payload. Tested on Pimcore 4.0.0-4.6.5 with the Zend unserialize payload.
No writeups or analysis indexed.
http://packetstormsecurity.com/files/152667/Pimcore-Unserialize-Remote-Code-Execution.htmlhttp://www.rapid7.com/db/modules/exploit/multi/http/pimcore_unserialize_rcehttps://blog.certimetergroup.com/it/articolo/security/polyglot_phar_deserialization_to_rcehttps://github.com/pimcore/pimcore/commit/38a29e2f4f5f060a73974626952501cee05fda73https://snyk.io/vuln/SNYK-PHP-PIMCOREPIMCORE-173998https://www.exploit-db.com/exploits/46783/http://packetstormsecurity.com/files/152667/Pimcore-Unserialize-Remote-Code-Execution.htmlhttp://www.rapid7.com/db/modules/exploit/multi/http/pimcore_unserialize_rcehttps://blog.certimetergroup.com/it/articolo/security/polyglot_phar_deserialization_to_rcehttps://github.com/pimcore/pimcore/commit/38a29e2f4f5f060a73974626952501cee05fda73https://snyk.io/vuln/SNYK-PHP-PIMCOREPIMCORE-173998https://www.exploit-db.com/exploits/46783/
2019-04-04
Published