CVE-2023-40028
published 2023-08-15CVE-2023-40028: Ghost is an open source content management system. Versions prior to 5.59.1 are subject to a vulnerability which allows authenticated users to upload files…
PriorityP260medium6.5CVSS 3.1
AVNACLPRLUINSUCHINAN
EXPLOIT
EPSS
57.56%
99.0th percentile
Ghost is an open source content management system. Versions prior to 5.59.1 are subject to a vulnerability which allows authenticated users to upload files that are symlinks. This can be exploited to perform an arbitrary file read of any file on the host operating system. Site administrators can check for exploitation of this issue by looking for unknown symlinks within Ghost's `content/` folder. Version 5.59.1 contains a fix for this issue. All users are advised to upgrade. There are no known workarounds for this vulnerability.
Affected
3 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| ghost | ghost | < 5.59.1 | 5.59.1 |
| ghost | ghost | >= 0 < 5.59.1 | 5.59.1 |
| tryghost | ghost | < 5.59.1 | 5.59.1 |
Detection & IOCsextracted from sources · hover to see the quote
- →Look for unknown symlinks within Ghost's content/ directory on the host filesystem — this is the primary forensic indicator of exploitation. ↗
- →Detect POST requests to the Ghost Admin API /db endpoint (import endpoint) with a multipart ZIP upload containing a file named 'exploit.zip' or a ZIP whose internal structure includes a symlink under content/images/. ↗
- →Detect the custom request header 'X-Ghost-Version: 5.58' combined with a POST to the /db import endpoint — the exploit hardcodes this version header regardless of the actual server version. ↗
- →After a ZIP import, monitor for HTTP GET requests to /content/images/2024/<random 13-char alphanumeric>.png that return content inconsistent with image data (e.g., text/plain content-type or ASCII text body), indicating a symlink was followed to a sensitive file. ↗
- →The exploit targets sensitive OS files via symlink; monitor web server access logs for GET requests to Ghost's static content path that resolve to /etc/passwd, /etc/shadow, /proc/version, or similar non-image paths. ↗
- ·The exploit requires valid authenticated credentials to the Ghost Admin panel before the symlink upload can be triggered — unauthenticated exploitation is not possible. ↗
- ·The exploit hardcodes the ZIP internal path as content/images/2024/ and accesses the file via /content/images/2024/<name>.png — detection rules scoped only to other year subdirectories may miss variants that alter this path. ↗
- ·The image filename used for the symlink is randomly generated (13 alphanumeric characters) each run, so static filename-based IOCs will not be reliable; pattern-based detection (13-char alphanum .png in /content/images/2024/) is required. ↗
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
OSV
Ghost vulnerable to arbitrary file read via symlinks in content import
osv·2023-08-15
CVE-2023-40028 [MEDIUM] Ghost vulnerable to arbitrary file read via symlinks in content import
Ghost vulnerable to arbitrary file read via symlinks in content import
### Impact
A vulnerability in Ghost allows authenticated users to upload files which are symlinks. This can be exploited to perform an arbitrary file read of any file on the operating system.
Site administrators can check for exploitation of this issue by looking for unknown symlinks within Ghost's `content/` folder
### Vulnerable versions
This security vulnerability is present in Ghost ≤ v5.59.0.
### Patches
v5.59.1 contains a fix for this issue.
### For more information
If you have any questions or comments about this advisory:
* Email us at [[email protected]](mailto:[email protected])
GHSA
Ghost vulnerable to arbitrary file read via symlinks in content import
ghsa·2023-08-15
CVE-2023-40028 [MEDIUM] CWE-22 Ghost vulnerable to arbitrary file read via symlinks in content import
Ghost vulnerable to arbitrary file read via symlinks in content import
### Impact
A vulnerability in Ghost allows authenticated users to upload files which are symlinks. This can be exploited to perform an arbitrary file read of any file on the operating system.
Site administrators can check for exploitation of this issue by looking for unknown symlinks within Ghost's `content/` folder
### Vulnerable versions
This security vulnerability is present in Ghost ≤ v5.59.0.
### Patches
v5.59.1 contains a fix for this issue.
### For more information
If you have any questions or comments about this advisory:
* Email us at [[email protected]](mailto:[email protected])
No detection rules found.
No writeups or analysis indexed.
https://github.com/TryGhost/Ghost/commit/690fbf3f7302ff3f77159c0795928bdd20f41205https://github.com/TryGhost/Ghost/security/advisories/GHSA-9c9v-w225-v5rghttps://github.com/TryGhost/Ghost/commit/690fbf3f7302ff3f77159c0795928bdd20f41205https://github.com/TryGhost/Ghost/security/advisories/GHSA-9c9v-w225-v5rg
2023-08-15
Published