CVE-2021-31746 – CVE-2021-31746 is a Zip Slip vulnerability in P... (How to Fix)

Q: What is the severity of CVE-2021-31746?

CVE-2021-31746 has a CVSS score of 9.8 (CRITICAL). CVE-2021-31746 is a Zip Slip vulnerability in Pluck-CMS that allows attackers to upload malicious zip files containing directory traversal paths. When extracted, these files can overwrite system files outside the intended directory, potentially leading to arbitrary code execution. This affects all Pluck-CMS 4.7.15 installations with file upload functionality enabled.

📋 TL;DR

CVE-2021-31746 is a Zip Slip vulnerability in Pluck-CMS that allows attackers to upload malicious zip files containing directory traversal paths. When extracted, these files can overwrite system files outside the intended directory, potentially leading to arbitrary code execution. This affects all Pluck-CMS 4.7.15 installations with file upload functionality enabled.

💻 Affected Systems

Products:

Pluck-CMS

Versions: 4.7.15

Operating Systems: All

Default Config Vulnerable: ⚠️ Yes

Notes: Requires file upload functionality to be enabled and accessible to attackers.

📦 What is this software?

Pluck by Pluck Cms

View all CVEs affecting Pluck →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Full server compromise through arbitrary code execution, data theft, and complete system control.

🟠

Likely Case

File system manipulation, website defacement, and potential backdoor installation.

🟢

If Mitigated

Limited to file upload directory if proper validation and extraction controls are implemented.

🌐 Internet-Facing: HIGH

🏢 Internal Only: MEDIUM

🎯 Exploit Status

Public PoC: ⚠️ Yes

Weaponized: LIKELY

Unauthenticated Exploit: ✅ No

Complexity: LOW

Exploitation requires authenticated access to upload files, but the vulnerability itself is straightforward to exploit once access is obtained.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 4.7.16 and later

Vendor Advisory: https://github.com/pluck-cms/pluck/issues/100

Restart Required: No

Instructions:

1. Backup your Pluck-CMS installation and database. 2. Download Pluck-CMS 4.7.16 or later from the official repository. 3. Replace all files except configuration and uploaded content. 4. Verify the installation works correctly.

🔧 Temporary Workarounds

Disable File Uploads

all

Temporarily disable all file upload functionality in Pluck-CMS

Modify Pluck-CMS configuration to remove file upload modules or restrict upload permissions

Implement Zip File Validation

all

Add server-side validation to check for directory traversal paths in zip file entries

Implement file extraction validation in PHP before processing uploaded zip files

🧯 If You Can't Patch

Implement strict file upload restrictions and validation at the web server level
Isolate Pluck-CMS installation in a container or virtual machine with limited file system access

🔍 How to Verify

Check if Vulnerable:

Check Pluck-CMS version in admin panel or by examining version files in installation directory

Check Version:

Check /data/version.txt or admin panel version display

Verify Fix Applied:

Verify version is 4.7.16 or later and test file upload functionality with malicious zip files

📡 Detection & Monitoring

Log Indicators:

Unusual file upload patterns
File extraction errors
Attempts to access files outside upload directory

Network Indicators:

Multiple zip file uploads from single IP
Unusual file size patterns in uploads

SIEM Query:

source="web_server" AND (uri="*upload*" OR uri="*zip*") AND status=200

📊 Metadata

CVE ID: CVE-2021-31746

CVSS v3 Score: 9.8 (CRITICAL)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

CWE: CWE-22

Published: December 10, 2021

Last Updated: November 21, 2024

🔗 References

https://github.com/pluck-cms/pluck/issues/100 Exploit,Third Party Advisory
https://github.com/pluck-cms/pluck/issues/100 Exploit,Third Party Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2021-31746, you might also want to check these: