9.8 High
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
HIGH
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
0.01 Low
EPSS
Percentile
83.5%
PHP-IMAP is a wrapper for common IMAP communication without the need to
have the php-imap module installed / enabled. Prior to version 5.3.0, an
unsanitized attachment filename allows any unauthenticated user to leverage
a directory traversal vulnerability, which results in a remote code
execution vulnerability. Every application that stores attachments with
Attachment::save()
without providing a $filename
or passing unsanitized
user input is affected by this attack. An attacker can send an email with a
malicious attachment to the inbox, which gets crawled with
webklex/php-imap
or webklex/laravel-imap
. Prerequisite for the
vulnerability is that the script stores the attachments without providing a
$filename
, or providing an unsanitized $filename
, in
src/Attachment::save(string $path, string $filename = null)
. In this
case, where no $filename
gets passed into the Attachment::save()
method, the package would use a series of unsanitized and insecure input
values from the mail as fallback. Even if a developer passes a $filename
into the Attachment::save()
method, e.g. by passing the name or filename
of the mail attachment itself (from email headers), the input values never
get sanitized by the package. There is also no restriction about the file
extension (e.g. “.php”) or the contents of a file. This allows an attacker
to upload malicious code of any type and content at any location where the
underlying user has write permissions. The attacker can also overwrite
existing files and inject malicious code into files that, e.g. get executed
by the system via cron or requests. Version 5.3.0 contains a patch for this
issue.
github.com/Webklex/php-imap/blob/5.2.0/src/Attachment.php#L251-L255
github.com/Webklex/php-imap/blob/5.2.0/src/Attachment.php#L252
github.com/Webklex/php-imap/pull/414
github.com/Webklex/php-imap/releases/tag/5.3.0
github.com/Webklex/php-imap/security/advisories/GHSA-47p7-xfcc-4pv9
launchpad.net/bugs/cve/CVE-2023-35169
nvd.nist.gov/vuln/detail/CVE-2023-35169
security-tracker.debian.org/tracker/CVE-2023-35169
www.cve.org/CVERecord?id=CVE-2023-35169