CVE-2021-43835
📋 TL;DR
CVE-2021-43835 is a privilege escalation vulnerability in Sulu CMS where authenticated users with any admin UI access can exploit the ProfileController API to grant themselves additional permissions they shouldn't have. This affects Sulu CMS versions 2.0.0-RC1 through 2.2.17, 2.3.7, and pre-2.4.0. The vulnerability allows users to elevate their privileges beyond their assigned roles.
💻 Affected Systems
- Sulu CMS
📦 What is this software?
Sulu by Sulu
Sulu by Sulu
Sulu by Sulu
⚠️ Risk & Real-World Impact
Worst Case
An authenticated low-privilege user could gain administrative privileges, potentially compromising the entire CMS instance, accessing sensitive data, modifying content, or taking full control of the system.
Likely Case
Users with limited admin access (like content editors) could elevate to administrator roles, gaining unauthorized access to restricted areas and functions.
If Mitigated
With proper access controls and monitoring, the impact is limited to unauthorized permission changes that can be detected and rolled back.
🎯 Exploit Status
Exploitation requires authenticated access to the admin UI. The vulnerability is in the ProfileController putAction API endpoint.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 2.2.18, 2.3.8, or 2.4.0
Vendor Advisory: https://github.com/sulu/sulu/security/advisories/GHSA-84px-q68r-2fc9
Restart Required: Yes
Instructions:
1. Backup your Sulu installation and database. 2. Update Sulu via Composer: 'composer update sulu/sulu'. 3. Clear cache: 'bin/console cache:clear'. 4. Restart your web server. 5. Verify the update with 'composer show sulu/sulu'.
🔧 Temporary Workarounds
Manual patch application
allApply the security patch to ProfileController.php to fix the privilege escalation vulnerability
Apply the patch from: https://github.com/sulu/sulu/commit/30bf8b5a4f83b6f2171a696011757d095edaa28a
🧯 If You Can't Patch
- Restrict admin UI access to only trusted administrators
- Implement network segmentation and monitor API calls to ProfileController endpoints
🔍 How to Verify
Check if Vulnerable:
Check your Sulu version with 'composer show sulu/sulu'. If version is between 2.0.0-RC1 and 2.2.17, or 2.3.0-2.3.7, or any version before 2.4.0, you are vulnerable.Check Version:
composer show sulu/sulu | grep versionsVerify Fix Applied:
After updating, verify version is 2.2.18, 2.3.8, or 2.4.0+ with 'composer show sulu/sulu'.📡 Detection & Monitoring
Log Indicators:
- Unusual permission modification requests via ProfileController API
- Users gaining new permissions without proper authorization workflow
Network Indicators:
- API calls to /admin/api/profile with permission modification payloads
SIEM Query:
source="web_logs" AND (uri_path="/admin/api/profile" AND http_method="PUT") AND (request_body CONTAINS "permissions" OR request_body CONTAINS "roles")