CVE-2024-47823

{"id": "CVE-2024-47823", "cveTags": [], "metrics": {"cvssMetricV40": [{"type": "Secondary", "source": "security-advisories@github.com", "cvssData": {"safety": "NOT_DEFINED", "version": "4.0", "recovery": "NOT_DEFINED", "baseScore": 7.7, "automatable": "NOT_DEFINED", "attackVector": "NETWORK", "baseSeverity": "HIGH", "valueDensity": "NOT_DEFINED", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "exploitMaturity": "NOT_DEFINED", "providerUrgency": "NOT_DEFINED", "userInteraction": "NONE", "attackComplexity": "LOW", "attackRequirements": "PRESENT", "privilegesRequired": "LOW", "modifiedAttackVector": "NOT_DEFINED", "integrityRequirements": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "availabilityRequirements": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "subsequentSystemIntegrity": "NONE", "vulnerableSystemIntegrity": "HIGH", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "confidentialityRequirements": "NOT_DEFINED", "vulnerabilityResponseEffort": "NOT_DEFINED", "subsequentSystemAvailability": "NONE", "vulnerableSystemAvailability": "HIGH", "subsequentSystemConfidentiality": "NONE", "vulnerableSystemConfidentiality": "HIGH", "modifiedSubsequentSystemIntegrity": "NOT_DEFINED", "modifiedVulnerableSystemIntegrity": "NOT_DEFINED", "modifiedSubsequentSystemAvailability": "NOT_DEFINED", "modifiedVulnerableSystemAvailability": "NOT_DEFINED", "modifiedSubsequentSystemConfidentiality": "NOT_DEFINED", "modifiedVulnerableSystemConfidentiality": "NOT_DEFINED"}}]}, "published": "2024-10-08T18:15:31.370", "references": [{"url": "https://github.com/livewire/livewire/commit/70503b79f5db75a1eac9bf55826038a6ee5a16d5", "source": "security-advisories@github.com"}, {"url": "https://github.com/livewire/livewire/commit/cd168c6212ea13d13b82b3132485741f82d9fad9", "source": "security-advisories@github.com"}, {"url": "https://github.com/livewire/livewire/pull/8624", "source": "security-advisories@github.com"}, {"url": "https://github.com/livewire/livewire/security/advisories/GHSA-f3cx-396f-7jqp", "source": "security-advisories@github.com"}], "vulnStatus": "Awaiting Analysis", "weaknesses": [{"type": "Primary", "source": "security-advisories@github.com", "description": [{"lang": "en", "value": "CWE-20"}]}], "descriptions": [{"lang": "en", "value": "Livewire is a full-stack framework for Laravel that allows for dynamic UI components without leaving PHP. In livewire/livewire prior to `2.12.7` and `v3.5.2`, the file extension of an uploaded file is guessed based on the MIME type. As a result, the actual file extension from the file name is not validated. An attacker can therefore bypass the validation by uploading a file with a valid MIME type (e.g., `image/png`) and a \u201c.php\u201d file extension. If the following criteria are met, the attacker can carry out an RCE attack: 1. Filename is composed of the original file name using `$file->getClientOriginalName()`. 2. Files stored directly on your server in a public storage disk. 3. Webserver is configured to execute \u201c.php\u201d files. This issue has been addressed in release versions `2.12.7` and `3.5.2`. All users are advised to upgrade. There are no known workarounds for this vulnerability."}, {"lang": "es", "value": "Livewire es un framework full-stack para Laravel que permite componentes de UI din\u00e1micos sin salir de PHP. En livewire/livewire `< v3.5.2`, la extensi\u00f3n de archivo de un archivo cargado se adivina en funci\u00f3n del tipo MIME. Como resultado, la extensi\u00f3n de archivo real del nombre de archivo no se valida. Por lo tanto, un atacante puede eludir la validaci\u00f3n cargando un archivo con un tipo MIME v\u00e1lido (por ejemplo, `image/png`) y una extensi\u00f3n de archivo \u201c.php\u201d. Si se cumplen los siguientes criterios, el atacante puede llevar a cabo un ataque RCE: 1. El nombre de archivo est\u00e1 compuesto por el nombre de archivo original utilizando `$file->getClientOriginalName()`. 2. Archivos almacenados directamente en su servidor en un disco de almacenamiento p\u00fablico. 3. El servidor web est\u00e1 configurado para ejecutar archivos \u201c.php\u201d. Este problema se ha solucionado en la versi\u00f3n de lanzamiento 3.5.2. Se recomienda a todos los usuarios que actualicen. No existen workarounds para esta vulnerabilidad."}], "lastModified": "2024-10-10T12:56:30.817", "sourceIdentifier": "security-advisories@github.com"}