CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
HIGH
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
NONE
Availability Impact
NONE
CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:N
AI Score
Confidence
Low
EPSS
Percentile
19.8%
Configurable storages using the local driver of the File Abstraction Layer (FAL) could be configured to access directories outside of the root directory of the corresponding project. The system setting in BE/lockRootPath
was not evaluated by the file abstraction layer component. An administrator-level backend user account is required to exploit this vulnerability.
Update to TYPO3 versions 8.7.57 ELTS, 9.5.46 ELTS, 10.4.43 ELTS, 11.5.35 LTS, 12.4.11 LTS, 13.0.1 that fix the problem described.
see Important: #102800 changelog
Assuming that a web project is located in the directory /var/www/example.org
(the āproject root pathā for Composer-based projects) and the publicly accessible directory is located at /var/www/example.org/public
(the āpublic root pathā), accessing resources via the File Abstraction Layer component is limited to the mentioned directories.
To grant additional access to directories, they must be explicitly configured in the system settings of $GLOBALS['TYPO3_CONF_VARS']['BE']['lockRootPath']
- either using the Install Tool or according to deployment techniques. The existing setting has been extended to support multiple directories configured as an array of strings.
Example:
$GLOBALS['TYPO3_CONF_VARS']['BE']['lockRootPath'] = [
ā/var/shared/documents/ā,
ā/var/shared/images/ā,
];
ā Storages that reference directories not explicitly granted will be marked as āofflineā internally - no resources can be used in the websiteās frontend and backend context.
Thanks to TYPO3 core & security team members Oliver Hader and Benjamin Franzke who fixed the issue.
packetstormsecurity.com/files/176274/TYPO3-11.5.24-Path-Traversal.html
github.com/advisories/GHSA-w6x2-jg8h-p6mp
github.com/TYPO3/typo3/commit/205115cca3d67594a12d0195c937da0e51eb494a
github.com/TYPO3/typo3/commit/78fb9287a2f0487c39288070cb0493a5265f1789
github.com/TYPO3/typo3/commit/accf537c7379b4359bc0f957c4d0c07baddd710a
github.com/TYPO3/typo3/security/advisories/GHSA-w6x2-jg8h-p6mp
nvd.nist.gov/vuln/detail/CVE-2023-30451
typo3.org/security/advisory/typo3-core-sa-2024-001
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
HIGH
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
NONE
Availability Impact
NONE
CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:N
AI Score
Confidence
Low
EPSS
Percentile
19.8%