CVE-2021-29440
published 2021-04-13CVE-2021-29440: Grav is a file based Web-platform. Twig processing of static pages can be enabled in the front matter by any administrative user allowed to create or edit…
PriorityP262high7.2CVSS 3.1
AVNACLPRHUINSUCHIHAH
EXPLOIT
EPSS
30.62%
98.0th percentile
Grav is a file based Web-platform. Twig processing of static pages can be enabled in the front matter by any administrative user allowed to create or edit pages. As the Twig processor runs unsandboxed, this behavior can be used to gain arbitrary code execution and elevate privileges on the instance. The issue was addressed in version 1.7.11.
Affected
2 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| getgrav | grav | < 1.7.11 | 1.7.11 |
| getgrav | grav | >= 0 < 1.7.11 | 1.7.11 |
Detection & IOCsextracted from sources · hover to see the quote
- →Detect POST requests to /admin/pages/<name>/:add containing the parameter data[header][process][twig]=1, which enables unsandboxed Twig processing on a newly created page — the core enabler of SSTI RCE. ↗
- →Detect page content bodies submitted to the Grav admin API containing Twig expression syntax (e.g., {{ ... }}) combined with PHP function calls such as system(), which indicates SSTI exploitation. ↗
- →Monitor for rapid page creation followed immediately by a GET request to the newly created page path and then a task:delete call — this create/execute/cleanup pattern is characteristic of the exploit workflow. ↗
- →Alert on authenticated admin sessions that POST to /admin/pages/<random_name>/:add with toggleable_data[header][process]=on alongside twig=1, indicating deliberate Twig processing enablement on a static page. ↗
- ·Exploitation requires an authenticated admin user with page creation/editing privileges — this is not an unauthenticated vulnerability. Detection should be scoped to authenticated admin sessions to reduce false positives. ↗
- ·The Twig processor runs unsandboxed in Grav versions prior to 1.7.11; upgrading to 1.7.11 addresses the issue. Detections targeting Twig-in-front-matter are only relevant on unpatched instances. ↗
CVSS provenance
nvdv3.17.2HIGHCVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H
nvdv2.06.5MEDIUMAV:N/AC:L/Au:S/C:P/I:P/A:P
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
Grav's Twig processing allowing dangerous PHP functions by default
ghsa·2021-04-16
CVE-2021-29440 [HIGH] CWE-94 Grav's Twig processing allowing dangerous PHP functions by default
Grav's Twig processing allowing dangerous PHP functions by default
### Impact
Twig processing of static pages can be enabled in the front matter by any administrative user allowed to create or edit pages.
As the Twig processor runs unsandboxed, this behavior can be used to gain arbitrary code execution and elevate privileges on the instance.
### Patches
The issue was addressed by preventing dangerous functions from being called in Twig templates. A configuration option has been added to manually allow arbitrary PHP functions (`system.twig.safe_functions`) and filters (`system.twig.safe_filters`).
Futures major versions of Grav may disable this functionality by default.
### Workarounds
Blocking access to the `/admin` path from untrusted sources will reduce the probability of exploita
OSV
Grav's Twig processing allowing dangerous PHP functions by default
osv·2021-04-16
CVE-2021-29440 [HIGH] Grav's Twig processing allowing dangerous PHP functions by default
Grav's Twig processing allowing dangerous PHP functions by default
### Impact
Twig processing of static pages can be enabled in the front matter by any administrative user allowed to create or edit pages.
As the Twig processor runs unsandboxed, this behavior can be used to gain arbitrary code execution and elevate privileges on the instance.
### Patches
The issue was addressed by preventing dangerous functions from being called in Twig templates. A configuration option has been added to manually allow arbitrary PHP functions (`system.twig.safe_functions`) and filters (`system.twig.safe_filters`).
Futures major versions of Grav may disable this functionality by default.
### Workarounds
Blocking access to the `/admin` path from untrusted sources will reduce the probability of exploita
No detection rules found.
No writeups or analysis indexed.
http://packetstormsecurity.com/files/162987/Grav-CMS-1.7.10-Server-Side-Template-Injection.htmlhttps://blog.sonarsource.com/grav-cms-code-execution-vulnerabilitieshttps://github.com/getgrav/grav/security/advisories/GHSA-g8r4-p96j-xfxchttps://packagist.org/packages/getgrav/gravhttp://packetstormsecurity.com/files/162987/Grav-CMS-1.7.10-Server-Side-Template-Injection.htmlhttps://blog.sonarsource.com/grav-cms-code-execution-vulnerabilitieshttps://github.com/getgrav/grav/security/advisories/GHSA-g8r4-p96j-xfxchttps://packagist.org/packages/getgrav/grav
2021-04-13
Published