CVE-2021-29439
📋 TL;DR
CVE-2021-29439 is an improper privilege verification vulnerability in Grav admin plugin that allows users with only login permissions to install third-party plugins. This enables attackers to achieve arbitrary code execution and privilege escalation on affected Grav CMS instances. All Grav installations using the admin plugin before version 1.10.11 are vulnerable.
💻 Affected Systems
- Grav CMS with admin plugin
📦 What is this software?
Grav Admin by Getgrav
⚠️ Risk & Real-World Impact
Worst Case
Complete system compromise through arbitrary code execution leading to data theft, ransomware deployment, or persistent backdoor installation.
Likely Case
Attacker gains administrative access to the Grav CMS instance, modifies content, steals sensitive data, or uses the system as a foothold for lateral movement.
If Mitigated
Limited impact with proper network segmentation and access controls, potentially only affecting the Grav application itself.
🎯 Exploit Status
Exploitation requires a valid user account with admin.login permission. The vulnerability is straightforward to exploit once authenticated.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 1.10.11
Vendor Advisory: https://github.com/getgrav/grav-plugin-admin/security/advisories/GHSA-wg37-cf5x-55hq
Restart Required: No
Instructions:
1. Backup your Grav installation. 2. Update the admin plugin to version 1.10.11 or later via the Grav Package Manager or manually. 3. Verify the update was successful by checking the plugin version.
🔧 Temporary Workarounds
Block admin path access
allRestrict access to the /admin path from untrusted networks using web server configuration or firewall rules.
# Apache: <Location /admin> Require ip 192.168.1.0/24 </Location>
# Nginx: location /admin { allow 192.168.1.0/24; deny all; }
Remove admin.login from low-privilege users
allReview and modify user permissions to ensure only trusted administrators have admin.login privilege.
# Edit user accounts YAML files in /user/accounts/ to remove admin.login from non-admin users
🧯 If You Can't Patch
- Implement strict network access controls to limit /admin path access to trusted IPs only.
- Regularly audit user accounts and permissions to ensure no unauthorized users have admin.login privilege.
🔍 How to Verify
Check if Vulnerable:
Check the admin plugin version in Grav admin panel under Plugins or examine the plugin.yaml file in /user/plugins/admin/.Check Version:
grep 'version:' /path/to/grav/user/plugins/admin/plugin.yamlVerify Fix Applied:
Confirm admin plugin version is 1.10.11 or higher and test that low-privilege users cannot install plugins.📡 Detection & Monitoring
Log Indicators:
- Unusual plugin installation activity by non-admin users
- Multiple failed login attempts followed by successful login and plugin installation
Network Indicators:
- HTTP POST requests to /admin/plugins/install from unexpected sources
- Unusual outbound connections after plugin installation
SIEM Query:
source="grav_access.log" AND (uri_path="/admin/plugins/install" OR uri_path="/admin/plugins") AND user_agent NOT IN ("admin_user1", "admin_user2")🔗 References
- https://github.com/getgrav/grav-plugin-admin/commit/a220359877fd1281f76ba732e5308e0e3002e4b1
- https://github.com/getgrav/grav-plugin-admin/security/advisories/GHSA-wg37-cf5x-55hq
- https://github.com/getgrav/grav-plugin-admin/commit/a220359877fd1281f76ba732e5308e0e3002e4b1
- https://github.com/getgrav/grav-plugin-admin/security/advisories/GHSA-wg37-cf5x-55hq
