CVE-2022-21829
📋 TL;DR
This vulnerability in Concrete CMS allows authenticated high-privilege users to download zip files over unencrypted HTTP connections and execute code from those files, leading to remote code execution. It affects Concrete CMS versions 9.0.0 through 9.0.2 and 8.5.7 and below. The vulnerability stems from the system using 'concrete' instead of 'concrete_secure' for requests, allowing HTTP instead of enforcing HTTPS.
💻 Affected Systems
- Concrete CMS
📦 What is this software?
Concrete Cms by Concretecms
Concrete Cms by Concretecms
⚠️ Risk & Real-World Impact
Worst Case
Full system compromise with complete administrative control, data exfiltration, and persistent backdoor installation across the entire CMS environment.
Likely Case
Authenticated attackers with high privileges can execute arbitrary code on the server, potentially gaining full control of the CMS instance and underlying server.
If Mitigated
With proper network segmentation and least privilege access, impact is limited to the CMS application layer only.
🎯 Exploit Status
Exploitation requires high-privilege authenticated access and ability to trigger zip file downloads over HTTP. The vulnerability is publicly documented but no public exploit code is known.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: Concrete CMS 9.0.3 and 8.5.8
Vendor Advisory: https://documentation.concretecms.org/developers/introduction/version-history/858-release-notes
Restart Required: No
Instructions:
1. Backup your Concrete CMS installation and database. 2. Update to Concrete CMS 9.0.3 or 8.5.8. 3. Verify the update by checking the version in the dashboard. 4. Test core functionality to ensure no breaking changes.
🔧 Temporary Workarounds
Enforce HTTPS at web server level
allConfigure your web server (Apache/Nginx) to redirect all HTTP traffic to HTTPS and disable HTTP entirely.
# Apache: Add to .htaccess
RewriteEngine On
RewriteCond %{HTTPS} off
RewriteRule ^(.*)$ https://%{HTTP_HOST}%{REQUEST_URI} [L,R=301]
# Nginx: Add to server block
server {
listen 80;
server_name yourdomain.com;
return 301 https://$server_name$request_uri;
}
Restrict high-privilege user access
allLimit the number of users with administrative privileges and implement multi-factor authentication for all admin accounts.
🧯 If You Can't Patch
- Implement strict network controls to prevent HTTP traffic to the Concrete CMS instance
- Deploy a web application firewall (WAF) with rules to detect and block zip file download attempts over HTTP
🔍 How to Verify
Check if Vulnerable:
Check your Concrete CMS version in the dashboard under System & Settings > System Information. If version is 9.0.0-9.0.2 or ≤8.5.7, you are vulnerable.Check Version:
Check Concrete CMS dashboard: System & Settings > System Information > VersionVerify Fix Applied:
After updating, verify version shows 9.0.3 or 8.5.8 in System Information. Test that all requests now use HTTPS by checking network traffic.📡 Detection & Monitoring
Log Indicators:
- HTTP requests to download zip files from Concrete CMS endpoints
- Unusual file execution or process creation events from the web server user
Network Indicators:
- HTTP traffic to Concrete CMS endpoints that should be HTTPS
- Unusual outbound connections from the web server following zip file downloads
SIEM Query:
source="web_server_logs" AND (uri="*.zip" OR uri="*download*" OR uri="*archive*") AND protocol="HTTP" AND user_agent="Concrete*"🔗 References
- https://documentation.concretecms.org/developers/introduction/version-history/858-release-notes
- https://documentation.concretecms.org/developers/introduction/version-history/910-release-notes%2C
- https://hackerone.com/reports/1482520%2C
- https://documentation.concretecms.org/developers/introduction/version-history/858-release-notes
- https://documentation.concretecms.org/developers/introduction/version-history/910-release-notes%2C
- https://hackerone.com/reports/1482520%2C
