Login Sign Up

CVE-2021-36766

7.2 HIGH
Remote Code Execution Deserialization

📋 TL;DR

This vulnerability allows attackers to inject malicious PHP objects into Concrete5 applications through deserialization of untrusted data. Attackers can exploit this to execute arbitrary PHP code on the server. All Concrete5 installations up to version 8.5.5 are affected.

💻 Affected Systems

Products:
  • Concrete5 CMS
Versions: Through 8.5.5
Operating Systems: All platforms running PHP
Default Config Vulnerable: ⚠️ Yes
Notes: Requires PHP with phar:// stream wrapper enabled (default in most PHP installations).

📦 What is this software?

Concrete Cms by Concretecms

View all CVEs affecting Concrete Cms →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Full server compromise leading to data theft, ransomware deployment, or complete system takeover.

🟠

Likely Case

Remote code execution allowing attackers to deface websites, steal sensitive data, or install backdoors.

🟢

If Mitigated

Limited impact with proper input validation and file system restrictions in place.

🌐 Internet-Facing: HIGH
🏢 Internal Only: MEDIUM

🎯 Exploit Status

Public PoC: ⚠️ Yes
Weaponized: CONFIRMED
Unauthenticated Exploit: ✅ No
Complexity: MEDIUM

Exploitation requires authenticated access to the dashboard, but public proof-of-concept code exists.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 8.5.6 and later

Vendor Advisory: https://documentation.concretecms.org/developers/introduction/version-history/855-release-notes

Restart Required: No

Instructions:

1. Backup your Concrete5 installation and database. 2. Download Concrete5 version 8.5.6 or later from the official website. 3. Replace all files with the new version. 4. Run any required database updates through the dashboard.

🔧 Temporary Workarounds

Disable phar:// stream wrapper

all

Prevents exploitation by disabling the vulnerable stream wrapper

Add 'phar.readonly = 1' to php.ini

Input validation filter

all

Add input validation to block phar:// protocol in logFile parameter

Modify controllers/single_page/dashboard/system/environment/logging.php to validate input

🧯 If You Can't Patch

  • Restrict dashboard access to trusted IP addresses only
  • Implement web application firewall rules to block requests containing 'phar://'

🔍 How to Verify

Check if Vulnerable:

Check if Concrete5 version is 8.5.5 or earlier in dashboard/system/environment/info

Check Version:

Check Concrete5 dashboard or view concrete/config/concrete.php version constant

Verify Fix Applied:

Verify version is 8.5.6 or later and test that phar:// input is rejected

📡 Detection & Monitoring

Log Indicators:

  • POST requests to /dashboard/system/environment/logging/update_logging with phar:// in parameters
  • Unusual file operations or PHP errors related to deserialization

Network Indicators:

  • HTTP requests containing 'phar://' strings in POST data

SIEM Query:

web.url:*dashboard/system/environment/logging* AND web.post_data:*phar://*

📊 Metadata

CVE ID: CVE-2021-36766
CVSS v3 Score: 7.2 (HIGH)
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H
CWE: CWE-502
Published: July 30, 2021
Last Updated: November 21, 2024

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2021-36766, you might also want to check these:

CVE-2023-46604 10.0

CVE-2023-46604 is a critical remote code execution vulnerability in Apache ActiveMQ's Java OpenWire ...

Same vulnerability type (CWE-502)
CVE-2023-49772 10.0

This vulnerability allows unauthenticated attackers to execute arbitrary PHP code through deserializ...

Same vulnerability type (CWE-502)
CVE-2024-25100 10.0

This vulnerability allows unauthenticated attackers to inject malicious PHP objects via deserializat...

Same vulnerability type (CWE-502)