CVE-2023-34448
published 2023-06-14CVE-2023-34448: Grav is a flat-file content management system. Prior to version 1.7.42, the patch for CVE-2022-2073, a server-side template injection vulnerability in Grav…
PriorityP352high7.2CVSS 3.1
AVNACLPRHUINSUCHIHAH
EPSS
4.52%
90.3th percentile
Grav is a flat-file content management system. Prior to version 1.7.42, the patch for CVE-2022-2073, a server-side template injection vulnerability in Grav leveraging the default `filter()` function, did not block other built-in functions exposed by Twig's Core Extension that could be used to invoke arbitrary unsafe functions, thereby allowing for remote code execution. A patch in version 1.74.2 overrides the built-in Twig `map()` and `reduce()` filter functions in `system/src/Grav/Common/Twig/Extension/GravExtension.php` to validate the argument passed to the filter in `$arrow`.
Affected
2 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| getgrav | grav | < 1.7.42 | 1.7.42 |
| getgrav | grav | >= 0 < 1.7.42 | 1.7.42 |
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
OSV
Grav Server-side Template Injection (SSTI) via Twig Default Filters
osv·2023-06-16
CVE-2023-34448 [HIGH] Grav Server-side Template Injection (SSTI) via Twig Default Filters
Grav Server-side Template Injection (SSTI) via Twig Default Filters
Hi,
actually we have sent the bug report to [[email protected]](mailto:[email protected]) on 27th March 2023 and on 10th April 2023.
# Grav Server-side Template Injection (SSTI) via Twig Default Filters
## Summary:
| **Product** | Grav CMS |
| ----------------------- | --------------------------------------------- |
| **Vendor** | Grav |
| **Severity** | High - Users with login access to Grav Admin panel and page creation/update permissions are able to obtain remote code/command execution |
| **Affected Versions** | true]),
];
}
...
+ /**
+ * @param Environment $env
+ * @param array $array
+ * @param callable|string $arrow
+ * @return array|CallbackFilterIterator
+ * @throws RuntimeError
+ */
+ function filterF
GHSA
Grav Server-side Template Injection (SSTI) via Twig Default Filters
ghsa·2023-06-16
CVE-2023-34448 [HIGH] CWE-1336 Grav Server-side Template Injection (SSTI) via Twig Default Filters
Grav Server-side Template Injection (SSTI) via Twig Default Filters
Hi,
actually we have sent the bug report to [[email protected]](mailto:[email protected]) on 27th March 2023 and on 10th April 2023.
# Grav Server-side Template Injection (SSTI) via Twig Default Filters
## Summary:
| **Product** | Grav CMS |
| ----------------------- | --------------------------------------------- |
| **Vendor** | Grav |
| **Severity** | High - Users with login access to Grav Admin panel and page creation/update permissions are able to obtain remote code/command execution |
| **Affected Versions** | true]),
];
}
...
+ /**
+ * @param Environment $env
+ * @param array $array
+ * @param callable|string $arrow
+ * @return array|CallbackFilterIterator
+ * @throws RuntimeError
+ */
+ function filterF
No detection rules found.
No public exploits indexed.
No writeups or analysis indexed.
https://github.com/getgrav/grav/commit/8c2c1cb72611a399f13423fc6d0e1d998c03e5c8https://github.com/getgrav/grav/security/advisories/GHSA-whr7-m3f8-mpm8https://github.com/twigphp/Twig/blob/v1.44.7/src/Environment.php#L148https://huntr.dev/bounties/3ef640e6-9e25-4ecb-8ec1-64311d63fe66/https://www.github.com/getgrav/grav/commit/9d6a2dba09fd4e56f5cdfb9a399caea355bfeb83https://github.com/getgrav/grav/commit/8c2c1cb72611a399f13423fc6d0e1d998c03e5c8https://github.com/getgrav/grav/security/advisories/GHSA-whr7-m3f8-mpm8https://github.com/twigphp/Twig/blob/v1.44.7/src/Environment.php#L148https://huntr.dev/bounties/3ef640e6-9e25-4ecb-8ec1-64311d63fe66/https://www.github.com/getgrav/grav/commit/9d6a2dba09fd4e56f5cdfb9a399caea355bfeb83
2023-06-14
Published