CVE-2021-22967 – CVE-2021-22967 is an Insecure Direct Object Ref... (How to Fix)

Q: What is the severity of CVE-2021-22967?

CVE-2021-22967 has a CVSS score of 7.5 (HIGH). CVE-2021-22967 is an Insecure Direct Object Reference (IDOR) vulnerability in Concrete CMS that allows unauthenticated users to access restricted files if they have permission to add messages to conversations. This affects Concrete CMS versions below 8.5.7. The vulnerability occurs because file attachment permissions weren't properly verified when adding messages.

📋 TL;DR

CVE-2021-22967 is an Insecure Direct Object Reference (IDOR) vulnerability in Concrete CMS that allows unauthenticated users to access restricted files if they have permission to add messages to conversations. This affects Concrete CMS versions below 8.5.7. The vulnerability occurs because file attachment permissions weren't properly verified when adding messages.

💻 Affected Systems

Products:

Concrete CMS (formerly concrete5)

Versions: All versions below 8.5.7

Operating Systems: All platforms running Concrete CMS

Default Config Vulnerable: ⚠️ Yes

Notes: Requires the conversation/messaging feature to be enabled and user must have permission to add messages.

📦 What is this software?

Concrete Cms by Concretecms

View all CVEs affecting Concrete Cms →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Unauthenticated attackers could access sensitive files containing confidential information, credentials, or system configuration data.

🟠

Likely Case

Unauthorized access to files that should be restricted to specific users or groups, potentially exposing sensitive business or user data.

🟢

If Mitigated

With proper access controls and file permissions, impact is limited to files that have overly permissive settings.

🌐 Internet-Facing: MEDIUM - Exploitable remotely but requires some user interaction and specific permissions to add messages.

🏢 Internal Only: MEDIUM - Similar risk internally if users have message posting permissions.

🎯 Exploit Status

Public PoC: ⚠️ Yes

Weaponized: LIKELY

Unauthenticated Exploit: ⚠️ Yes

Complexity: LOW

Exploit details are publicly available on HackerOne. Attack requires ability to add messages to conversations but no authentication for file access.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 8.5.7 and later

Vendor Advisory: https://documentation.concretecms.org/developers/introduction/version-history/857-release-notes

Restart Required: No

Instructions:

1. Backup your Concrete CMS installation and database. 2. Update to Concrete CMS version 8.5.7 or later. 3. Verify the update completed successfully. 4. Test conversation file attachment functionality.

🔧 Temporary Workarounds

Disable Conversation File Attachments

all

Temporarily disable file attachments in conversations to prevent exploitation.

Modify Concrete CMS configuration to remove file upload permissions from conversation features

Restrict File Access via .htaccess

linux

Add additional access controls to sensitive file directories.

Add 'Deny from all' or appropriate access controls to application/files directories

🧯 If You Can't Patch

Implement strict file permission controls on sensitive directories
Disable conversation/messaging features entirely if not required

🔍 How to Verify

Check if Vulnerable:

Check Concrete CMS version in admin dashboard or via version.php file. If version is below 8.5.7 and conversation features are enabled, system is vulnerable.

Check Version:

Check /concrete/config/version.php or admin dashboard for version number

Verify Fix Applied:

After updating to 8.5.7+, test that unauthenticated users cannot access restricted files through conversation attachments.

📡 Detection & Monitoring

Log Indicators:

Unauthorized file access attempts through /index.php/conversations endpoints
File download requests from unauthenticated users to restricted file paths

Network Indicators:

HTTP requests to conversation endpoints with file attachment parameters from unauthorized sources

SIEM Query:

source="web_logs" AND (uri_path="/index.php/conversations" OR uri_path="/conversations") AND (status=200 OR status=302) AND file_attachment_parameter EXISTS

📊 Metadata

CVE ID: CVE-2021-22967

CVSS v3 Score: 7.5 (HIGH)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

CWE: CWE-639

Published: November 19, 2021

Last Updated: November 21, 2024

🔗 References

https://documentation.concretecms.org/developers/introduction/version-history/857-release-notes Release Notes,Vendor Advisory
https://hackerone.com/reports/869612 Permissions Required
https://documentation.concretecms.org/developers/introduction/version-history/857-release-notes Release Notes,Vendor Advisory
https://hackerone.com/reports/869612 Permissions Required

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2021-22967, you might also want to check these: