CVE-2020-36388 – This vulnerability allows authenticated users t... (How to Fix)

Q: What is the severity of CVE-2020-36388?

CVE-2020-36388 has a CVSS score of 8.8 (HIGH). This vulnerability allows authenticated users to upload and execute malicious PHAR archives in CiviCRM, potentially leading to remote code execution. It affects CiviCRM installations before version 5.21.3 and versions 5.22.x through 5.24.x before 5.24.3. Attackers could gain control of the web server process.

📋 TL;DR

This vulnerability allows authenticated users to upload and execute malicious PHAR archives in CiviCRM, potentially leading to remote code execution. It affects CiviCRM installations before version 5.21.3 and versions 5.22.x through 5.24.x before 5.24.3. Attackers could gain control of the web server process.

💻 Affected Systems

Products:

CiviCRM

Versions: Before 5.21.3, 5.22.x through 5.24.x before 5.24.3

Operating Systems: All

Default Config Vulnerable: ⚠️ Yes

Notes: Requires authenticated user access to exploit.

📦 What is this software?

Civicrm by Civicrm

View all CVEs affecting Civicrm →

Civicrm by Civicrm

View all CVEs affecting Civicrm →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Full server compromise allowing arbitrary code execution, data theft, and lateral movement within the network.

🟠

Likely Case

Unauthorized file upload leading to web shell deployment and limited server access.

🟢

If Mitigated

No impact if proper file upload restrictions and user access controls are implemented.

🌐 Internet-Facing: HIGH

🏢 Internal Only: MEDIUM

🎯 Exploit Status

Public PoC: ⚠️ Yes

Weaponized: LIKELY

Unauthenticated Exploit: ✅ No

Complexity: LOW

Exploitation requires authenticated user access and ability to upload files.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 5.21.3, 5.24.3

Vendor Advisory: https://civicrm.org/advisory/civi-sa-2020-03

Restart Required: No

Instructions:

1. Backup your CiviCRM installation and database. 2. Update to CiviCRM 5.21.3 or 5.24.3 or later. 3. Verify the update completed successfully.

🔧 Temporary Workarounds

Restrict PHAR file uploads

all

Configure web server or application to block .phar file uploads

# In Apache .htaccess: 
<FilesMatch "\.phar$">
    Order Allow,Deny
    Deny from all
</FilesMatch>
# In nginx config:
location ~ \.phar$ {
    deny all;
}

Disable PHAR deserialization

linux

Add PHP configuration to disable phar:// stream wrapper

php_admin_value phar.readonly On
php_admin_value phar.require_hash On

🧯 If You Can't Patch

Implement strict file upload validation to reject PHAR files
Restrict user permissions to minimize attack surface

🔍 How to Verify

Check if Vulnerable:

Check CiviCRM version in admin interface or via civicrm/CRM/Upgrade/Form.php

Check Version:

grep -r "define.*CIVICRM_VERSION" /path/to/civicrm/ | head -1

Verify Fix Applied:

Confirm version is 5.21.3 or 5.24.3+ and test file upload functionality

📡 Detection & Monitoring

Log Indicators:

Unusual file uploads with .phar extension
POST requests to file upload endpoints with suspicious content

Network Indicators:

HTTP requests containing PHAR magic bytes (__HALT_COMPILER())

SIEM Query:

source="web_logs" AND (uri_path="*upload*" OR uri_path="*file*" OR method="POST") AND (user_agent="*phar*" OR referer="*phar*" OR request_body="*__HALT_COMPILER*" OR request_body="*phar://*")

📊 Metadata

CVE ID: CVE-2020-36388

CVSS v3 Score: 8.8 (HIGH)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

CWE: CWE-434

Published: June 17, 2021

Last Updated: November 21, 2024

🔗 References

https://blog.sonarsource.com/civicrm-code-execution-vulnerability-chain-explained/ Exploit,Third Party Advisory
https://civicrm.org/advisory/civi-sa-2020-03 Vendor Advisory
https://blog.sonarsource.com/civicrm-code-execution-vulnerability-chain-explained/ Exploit,Third Party Advisory
https://civicrm.org/advisory/civi-sa-2020-03 Vendor Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2020-36388, you might also want to check these: