CVE-2023-2336
published 2023-04-27CVE-2023-2336: Path Traversal in GitHub repository pimcore/pimcore prior to 10.5.21.
PriorityP335medium6.5CVSS 3.1
AVNACLPRLUINSUCHINAN
EPSS
0.67%
47.2th percentile
Path Traversal in GitHub repository pimcore/pimcore prior to 10.5.21.
Affected
3 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| pimcore | pimcore | < 10.5.21 | 10.5.21 |
| pimcore | pimcore | >= 0 < 10.5.21 | 10.5.21 |
| pimcore | pimcore_pimcore | >= unspecified < 10.5.21 | 10.5.21 |
CVSS provenance
nvdv3.16.5MEDIUMCVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N
nvdv3.05.5MEDIUMCVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:C/C:L/I:L/A:N
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
Path Traversal in Asset "import from server" option
ghsa·2023-04-27
CVE-2023-2336 [MEDIUM] CWE-22 Path Traversal in Asset "import from server" option
Path Traversal in Asset "import from server" option
### Impact
An authenticated attacker can abuse import-server-files with a path traversal to download an arbitrary file from the server
An arbitrary file read vulnerability allows an attacker to read files on the server that they should not have access to, potentially including sensitive files such as configuration files, user data, and credentials. This can result in the exposure of confidential information, which can be used to launch further attacks or compromise the system.
### Patches
Update to version 10.5.21 or apply this patch manually https://github.com/pimcore/pimcore/commit/498cadec2292f7842fb10612068ac78496e884b4.patch
### Workarounds
Apply patch https://github.com/pimcore/pimcore/commit/498cadec2292f7842fb10612068ac78496e8
OSV
Path Traversal in Asset "import from server" option
osv·2023-04-27
CVE-2023-2336 [MEDIUM] Path Traversal in Asset "import from server" option
Path Traversal in Asset "import from server" option
### Impact
An authenticated attacker can abuse import-server-files with a path traversal to download an arbitrary file from the server
An arbitrary file read vulnerability allows an attacker to read files on the server that they should not have access to, potentially including sensitive files such as configuration files, user data, and credentials. This can result in the exposure of confidential information, which can be used to launch further attacks or compromise the system.
### Patches
Update to version 10.5.21 or apply this patch manually https://github.com/pimcore/pimcore/commit/498cadec2292f7842fb10612068ac78496e884b4.patch
### Workarounds
Apply patch https://github.com/pimcore/pimcore/commit/498cadec2292f7842fb10612068ac78496e8
No detection rules found.
No public exploits indexed.
No writeups or analysis indexed.
2023-04-27
Published