Login Sign Up

CVE-2021-3924

7.5 HIGH
Path Traversal

📋 TL;DR

CVE-2021-3924 is a path traversal vulnerability in Grav CMS that allows attackers to read arbitrary files outside the intended directory. This affects Grav installations with default configurations, potentially exposing sensitive server files like configuration files, logs, or source code.

💻 Affected Systems

Products:
  • Grav CMS
Versions: All versions before 1.7.22
Operating Systems: All
Default Config Vulnerable: ⚠️ Yes
Notes: Affects default Grav installations. The vulnerability is in the file handling component.

📦 What is this software?

Grav by Getgrav

View all CVEs affecting Grav →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete server compromise through reading sensitive configuration files containing credentials, followed by privilege escalation or lateral movement.

🟠

Likely Case

Exfiltration of sensitive configuration files, source code, or user data stored in accessible directories.

🟢

If Mitigated

Limited impact due to proper file permissions, web server restrictions, or network segmentation preventing access to critical files.

🌐 Internet-Facing: HIGH
🏢 Internal Only: MEDIUM

🎯 Exploit Status

Public PoC: ⚠️ Yes
Weaponized: LIKELY
Unauthenticated Exploit: ⚠️ Yes
Complexity: LOW

Exploitation requires sending specially crafted requests to vulnerable endpoints. Public proof-of-concept code exists in security advisories.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 1.7.22 and later

Vendor Advisory: https://github.com/getgrav/grav/commit/8f9c417c04b89dc8d2de60b95e7696821b2826ce

Restart Required: No

Instructions:

1. Update Grav CMS to version 1.7.22 or later using the built-in GPM (Grav Package Manager). 2. Run 'bin/gpm selfupgrade' from the Grav root directory. 3. Clear cache if needed.

🔧 Temporary Workarounds

Web Server Path Restriction

all

Configure web server to restrict access to parent directories using rewrite rules or access controls.

# Apache: Use mod_rewrite to block directory traversal patterns
# Nginx: Add location blocks to restrict path access

File Permission Hardening

linux

Restrict file permissions on sensitive directories and configuration files.

chmod 600 sensitive-config-files
chown www-data:www-data web-root

🧯 If You Can't Patch

  • Implement web application firewall (WAF) rules to block path traversal patterns
  • Isolate Grav instance in a restricted network segment with limited file system access

🔍 How to Verify

Check if Vulnerable:

Check Grav version in admin panel or via CLI: 'bin/gpm version'. If version is below 1.7.22, system is vulnerable.

Check Version:

php bin/gpm version

Verify Fix Applied:

After update, verify version is 1.7.22 or higher. Test by attempting path traversal requests that should now be blocked.

📡 Detection & Monitoring

Log Indicators:

  • HTTP requests containing '../' patterns
  • Access to unusual file paths in web logs
  • Failed file access attempts outside web root

Network Indicators:

  • Unusual GET requests with directory traversal sequences
  • Requests for known sensitive files like .env, config.php, etc.

SIEM Query:

web_access_logs WHERE url CONTAINS '../' OR url CONTAINS '..\\' OR url MATCHES '.*\\.\\./.*'

📊 Metadata

CVE ID: CVE-2021-3924
CVSS v3 Score: 7.5 (HIGH)
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
CWE: CWE-22
Published: November 5, 2021
Last Updated: November 21, 2024

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2021-3924, you might also want to check these:

CVE-2024-43955 10.0

CVE-2024-43955 is an unauthenticated path traversal vulnerability in the Droip WordPress plugin that...

Same vulnerability type (CWE-22)
CVE-2025-54261 10.0

This critical path traversal vulnerability in Adobe ColdFusion allows attackers to escape restricted...

Same vulnerability type (CWE-22)
CVE-2024-40628 10.0

This critical vulnerability in JumpServer allows attackers to read arbitrary files from the Celery c...

Same vulnerability type (CWE-22)