CVE-2022-23793 – This vulnerability allows attackers to perform ... (How to Fix)

Q: What is the severity of CVE-2022-23793?

CVE-2022-23793 has a CVSS score of 7.5 (HIGH). This vulnerability allows attackers to perform path traversal attacks by uploading specially crafted tar archives to Joomla! installations. When extracted, these archives can write files outside the intended directory, potentially leading to arbitrary file overwrites or remote code execution. All Joomla! installations from version 3.0.0 through 3.10.6 and 4.0.0 through 4.1.0 are affected.

📋 TL;DR

This vulnerability allows attackers to perform path traversal attacks by uploading specially crafted tar archives to Joomla! installations. When extracted, these archives can write files outside the intended directory, potentially leading to arbitrary file overwrites or remote code execution. All Joomla! installations from version 3.0.0 through 3.10.6 and 4.0.0 through 4.1.0 are affected.

💻 Affected Systems

Products:

Joomla!

Versions: 3.0.0 through 3.10.6 and 4.0.0 through 4.1.0

Operating Systems: All

Default Config Vulnerable: ⚠️ Yes

Notes: Requires ability to upload tar archives, which may be available through various Joomla! extensions or components.

📦 What is this software?

Joomla\! by Joomla

View all CVEs affecting Joomla\! →

Joomla\! by Joomla

View all CVEs affecting Joomla\! →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Remote code execution leading to complete system compromise, data theft, or ransomware deployment.

🟠

Likely Case

Arbitrary file overwrite allowing website defacement, configuration modification, or privilege escalation.

🟢

If Mitigated

Limited impact with proper file permissions and web server restrictions preventing execution of uploaded files.

🌐 Internet-Facing: HIGH - Joomla! is typically internet-facing and the vulnerability can be exploited via file upload functionality.

🏢 Internal Only: MEDIUM - Internal Joomla! installations could be exploited by authenticated internal users.

🎯 Exploit Status

Public PoC: ⚠️ Yes

Weaponized: LIKELY

Unauthenticated Exploit: ✅ No

Complexity: LOW

Exploitation requires file upload capability, which typically requires some level of authentication, though some configurations may allow unauthenticated uploads.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Joomla! 3.10.7 and 4.1.1

Vendor Advisory: https://developer.joomla.org/security-centre/870-20220301-core-zip-slip-within-the-tar-extractor.html

Restart Required: No

Instructions:

1. Backup your Joomla! installation and database. 2. Download the latest version from joomla.org. 3. Use the Joomla! Update component or manually replace files. 4. Clear cache and test functionality.

🔧 Temporary Workarounds

Disable tar file uploads

all

Restrict or disable functionality that allows tar archive uploads through Joomla! extensions or components.

Implement file upload restrictions

all

Configure web server to restrict file uploads to specific directories with proper permissions.

🧯 If You Can't Patch

Implement strict file upload validation and sanitization for all tar archives.
Apply principle of least privilege to web server and file system permissions.

🔍 How to Verify

Check if Vulnerable:

Check Joomla! version in administrator panel or examine /administrator/manifests/files/joomla.xml file version tag.

Check Version:

grep '<version>' /path/to/joomla/administrator/manifests/files/joomla.xml

Verify Fix Applied:

Confirm version is 3.10.7 or higher for Joomla! 3.x, or 4.1.1 or higher for Joomla! 4.x.

📡 Detection & Monitoring

Log Indicators:

Unusual file upload activity, particularly tar archives with path traversal sequences (../)
File write operations outside expected upload directories

Network Indicators:

HTTP POST requests with tar file uploads to Joomla! endpoints

SIEM Query:

source="web_logs" AND (uri_path="*tar*" OR file_extension="tar") AND (user_agent="*Joomla*" OR referrer="*joomla*")

📊 Metadata

CVE ID: CVE-2022-23793

CVSS v3 Score: 7.5 (HIGH)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N

CWE: CWE-22

Published: March 30, 2022

Last Updated: November 21, 2024

🔗 References

http://packetstormsecurity.com/files/166546/Joomla-4.1.0-Zip-Slip-File-Overwrite-Path-Traversal.html Exploit,Third Party Advisory,VDB Entry
https://developer.joomla.org/security-centre/870-20220301-core-zip-slip-within-the-tar-extractor.html Vendor Advisory
http://packetstormsecurity.com/files/166546/Joomla-4.1.0-Zip-Slip-File-Overwrite-Path-Traversal.html Exploit,Third Party Advisory,VDB Entry
https://developer.joomla.org/security-centre/870-20220301-core-zip-slip-within-the-tar-extractor.html Vendor Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2022-23793, you might also want to check these: