CVE-2021-23340 – This CVE describes an authenticated Local File ... (How to Fix)

Q: What is the severity of CVE-2021-23340?

CVE-2021-23340 has a CVSS score of 7.1 (HIGH). This CVE describes an authenticated Local File Inclusion vulnerability in Pimcore's CustomReportController. An authenticated user can exploit unsanitized input in the exportFile parameter to read arbitrary files from the server. This affects all Pimcore installations before version 6.8.8.

📋 TL;DR

This CVE describes an authenticated Local File Inclusion vulnerability in Pimcore's CustomReportController. An authenticated user can exploit unsanitized input in the exportFile parameter to read arbitrary files from the server. This affects all Pimcore installations before version 6.8.8.

💻 Affected Systems

Products:

pimcore/pimcore

Versions: All versions before 6.8.8

Operating Systems: All operating systems running Pimcore

Default Config Vulnerable: ⚠️ Yes

Notes: Requires authenticated access to the admin interface. The vulnerability is present in default configurations.

📦 What is this software?

Pimcore by Pimcore

View all CVEs affecting Pimcore →

⚠️ Risk & Real-World Impact

🔴

Worst Case

An attacker could read sensitive files like configuration files, database credentials, or source code, potentially leading to full system compromise.

🟠

Likely Case

Unauthorized access to sensitive files containing application data, user information, or system configuration.

🟢

If Mitigated

Limited impact with proper file permissions and network segmentation restricting access to sensitive files.

🌐 Internet-Facing: MEDIUM - Requires authentication but exposed endpoints could be targeted by credential stuffing or compromised accounts.

🏢 Internal Only: HIGH - Authenticated users (including legitimate users with malicious intent) can exploit this vulnerability.

🎯 Exploit Status

Public PoC: ⚠️ Yes

Weaponized: LIKELY

Unauthenticated Exploit: ✅ No

Complexity: LOW

Exploitation requires authenticated access but is straightforward with a simple GET request manipulation.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 6.8.8

Vendor Advisory: https://github.com/pimcore/pimcore/security/advisories/GHSA-8q8r-2jq9-9qjq

Restart Required: No

Instructions:

1. Update Pimcore to version 6.8.8 or later. 2. Run composer update pimcore/pimcore. 3. Clear application cache if needed.

🔧 Temporary Workarounds

Input Validation Filter

all

Implement server-side validation to restrict exportFile parameter to allowed file paths only.

Modify CustomReportController.php to validate exportFile parameter against whitelisted paths

Access Restriction

all

Restrict access to the /admin/reports/custom-report/download-csv endpoint to only necessary users.

Configure web server or application firewall rules to limit access

🧯 If You Can't Patch

Implement strict file system permissions to limit readable files to only those necessary for application operation.
Deploy web application firewall (WAF) rules to block requests with suspicious file paths in the exportFile parameter.

🔍 How to Verify

Check if Vulnerable:

Check Pimcore version via admin interface or composer.json. If version is below 6.8.8, the system is vulnerable.

Check Version:

composer show pimcore/pimcore | grep version

Verify Fix Applied:

Verify Pimcore version is 6.8.8 or later. Test the endpoint with malicious input to confirm proper sanitization.

📡 Detection & Monitoring

Log Indicators:

GET requests to /admin/reports/custom-report/download-csv with unusual file paths in exportFile parameter
Access to sensitive system files from web application logs

Network Indicators:

Unusual file path patterns in HTTP GET parameters
Multiple failed attempts to access restricted files

SIEM Query:

source="web_access.log" AND uri_path="/admin/reports/custom-report/download-csv" AND query_string="*exportFile=*"

📊 Metadata

CVE ID: CVE-2021-23340

CVSS v3 Score: 7.1 (HIGH)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:L/A:N

CWE: CWE-22

Published: February 18, 2021

Last Updated: November 21, 2024

🔗 References

https://github.com/pimcore/pimcore/blob/v6.7.2/bundles/AdminBundle/Controller/Reports/CustomReportController.php%23L454 Broken Link,Third Party Advisory
https://github.com/pimcore/pimcore/commit/1786bdd4962ee51544fad537352c2b4223309442 Patch,Third Party Advisory
https://snyk.io/vuln/SNYK-PHP-PIMCOREPIMCORE-1070132 Exploit,Patch,Third Party Advisory
https://github.com/pimcore/pimcore/blob/v6.7.2/bundles/AdminBundle/Controller/Reports/CustomReportController.php%23L454 Broken Link,Third Party Advisory
https://github.com/pimcore/pimcore/commit/1786bdd4962ee51544fad537352c2b4223309442 Patch,Third Party Advisory
https://snyk.io/vuln/SNYK-PHP-PIMCOREPIMCORE-1070132 Exploit,Patch,Third Party Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2021-23340, you might also want to check these: