CVE-2021-21425 Unauthenticated Arbitrary YAML Write/Update leads to Code Execution

2021-04-0718:20:13

CWE-284

GitHub_M

www.cve.org

cve-2021-21425

grav admin plugin

arbitrary yaml write/update

code execution

unauthenticated user

html user interface

configuration change

arbitrary file creation

operating system command

web-server user

CVSS3

9.3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

CHANGED

Confidentiality Impact

LOW

Integrity Impact

HIGH

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:H/A:N

AI Score

9.7

Confidence

High

EPSS

0.85

Percentile

98.6%

JSON

Grav Admin Plugin is an HTML user interface that provides a way to configure Grav and create and modify pages. In versions 1.10.7 and earlier, an unauthenticated user can execute some methods of administrator controller without needing any credentials. Particular method execution will result in arbitrary YAML file creation or content change of existing YAML files on the system. Successfully exploitation of that vulnerability results in configuration changes, such as general site information change, custom scheduler job definition, etc. Due to the nature of the vulnerability, an adversary can change some part of the webpage, or hijack an administrator account, or execute operating system command under the context of the web-server user. This vulnerability is fixed in version 1.10.8. Blocking access to the /admin path from untrusted sources can be applied as a workaround.

CNA Affected

[
  {
    "product": "grav-plugin-admin",
    "vendor": "getgrav",
    "versions": [
      {
        "status": "affected",
        "version": "<= 1.10.7"
      }
    ]
  }
]