CVE-2021-23405 – This is a SQL injection vulnerability in Pimcor... (How to Fix)

Q: What is the severity of CVE-2021-23405?

CVE-2021-23405 has a CVSS score of 8.3 (HIGH). This is a SQL injection vulnerability in Pimcore's ClassificationstoreController that allows attackers to execute arbitrary SQL commands. It affects Pimcore installations before version 10.0.7 where the storeId parameter is not properly validated in collectionsActionGet and groupsActionGet methods.

📋 TL;DR

This is a SQL injection vulnerability in Pimcore's ClassificationstoreController that allows attackers to execute arbitrary SQL commands. It affects Pimcore installations before version 10.0.7 where the storeId parameter is not properly validated in collectionsActionGet and groupsActionGet methods.

💻 Affected Systems

Products:

pimcore/pimcore

Versions: All versions before 10.0.7

Operating Systems: All operating systems running PHP

Default Config Vulnerable: ⚠️ Yes

Notes: Affects all Pimcore installations using the classification store feature with default configurations.

📦 What is this software?

Pimcore by Pimcore

View all CVEs affecting Pimcore →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete database compromise including data theft, data manipulation, and potential remote code execution through database functions.

🟠

Likely Case

Unauthorized data access, data exfiltration, and potential privilege escalation within the application.

🟢

If Mitigated

No impact if proper input validation and parameterized queries are implemented.

🌐 Internet-Facing: HIGH - Web applications are typically internet-facing and this vulnerability is exploitable via HTTP requests.

🏢 Internal Only: MEDIUM - Internal applications could still be exploited by authenticated users or through other attack vectors.

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: UNKNOWN

Unauthenticated Exploit: ✅ No

Complexity: LOW

Exploitation requires access to the affected endpoints, typically requiring some level of authentication. The SQL injection is straightforward once access is obtained.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 10.0.7

Vendor Advisory: https://github.com/pimcore/pimcore/pull/9572

Restart Required: No

Instructions:

1. Update Pimcore to version 10.0.7 or later using composer update pimcore/pimcore. 2. Verify the update completed successfully. 3. Clear any application caches if necessary.

🔧 Temporary Workarounds

Input Validation Middleware

all

Implement custom middleware to validate and sanitize the storeId parameter before it reaches the vulnerable methods.

Web Application Firewall Rule

all

Configure WAF rules to block SQL injection patterns in requests to ClassificationstoreController endpoints.

🧯 If You Can't Patch

Restrict access to ClassificationstoreController endpoints using network ACLs or authentication requirements
Implement database-level protections such as least privilege database accounts and query logging

🔍 How to Verify

Check if Vulnerable:

Check Pimcore version via composer show pimcore/pimcore or check the application version in admin interface.

Check Version:

composer show pimcore/pimcore | grep versions

Verify Fix Applied:

Verify version is 10.0.7 or higher and test the affected endpoints with SQL injection payloads to confirm they're blocked.

📡 Detection & Monitoring

Log Indicators:

Unusual SQL queries in database logs
Multiple failed authentication attempts followed by ClassificationstoreController access
HTTP requests with SQL injection patterns in storeId parameter

Network Indicators:

HTTP POST/GET requests to /admin/classificationstore/* endpoints with suspicious parameters

SIEM Query:

source="web_logs" AND (uri_path="/admin/classificationstore/*" AND (param="storeId" AND value MATCH "[';]|UNION|SELECT"))

📊 Metadata

CVE ID: CVE-2021-23405

CVSS v3 Score: 8.3 (HIGH)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:L

CWE: CWE-89

Published: July 9, 2021

Last Updated: November 21, 2024

🔗 References

https://github.com/pimcore/pimcore/pull/9572 Patch,Third Party Advisory
https://snyk.io/vuln/SNYK-PHP-PIMCOREPIMCORE-1316297 Exploit,Third Party Advisory
https://github.com/pimcore/pimcore/pull/9572 Patch,Third Party Advisory
https://snyk.io/vuln/SNYK-PHP-PIMCOREPIMCORE-1316297 Exploit,Third Party Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2021-23405, you might also want to check these: