Login Sign Up

CVE-2022-28397

9.8 CRITICAL
Remote Code Execution

📋 TL;DR

CVE-2022-28397 is an arbitrary file upload vulnerability in Ghost CMS v4.42.0 that allows attackers to upload malicious files and potentially execute arbitrary code on the server. This affects Ghost CMS installations running the vulnerable version. The vendor notes this is intentional functionality for trusted users, but improper access controls could expose the vulnerability.

💻 Affected Systems

Products:
  • Ghost CMS
Versions: v4.42.0
Operating Systems: All
Default Config Vulnerable: ⚠️ Yes
Notes: Vendor states this is intentional functionality for trusted users; vulnerability exists when access controls are insufficient.

📦 What is this software?

Ghost by Ghost

View all CVEs affecting Ghost →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Full server compromise allowing remote code execution, data theft, and complete system control.

🟠

Likely Case

Unauthorized file upload leading to defacement, data manipulation, or limited code execution depending on server configuration.

🟢

If Mitigated

No impact if proper user authentication and file validation controls are implemented as intended.

🌐 Internet-Facing: HIGH
🏢 Internal Only: MEDIUM

🎯 Exploit Status

Public PoC: ✅ No
Weaponized: UNKNOWN
Unauthenticated Exploit: ✅ No
Complexity: LOW

Exploitation requires access to file upload functionality, which should be restricted to authenticated users.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: v4.42.1 and later

Vendor Advisory: https://ghost.org/docs/security/

Restart Required: Yes

Instructions:

1. Backup your Ghost installation and database. 2. Update Ghost CMS to v4.42.1 or later using npm update or Ghost CLI. 3. Restart the Ghost service.

🔧 Temporary Workarounds

Restrict File Upload Permissions

all

Limit file upload functionality to only trusted administrative users.

Configure user roles in Ghost admin panel to restrict upload permissions

Implement File Type Validation

all

Add server-side validation to reject potentially dangerous file types.

Modify Ghost configuration or add middleware to validate file extensions and MIME types

🧯 If You Can't Patch

  • Disable file upload functionality entirely if not required
  • Implement strict access controls and audit all users with upload permissions

🔍 How to Verify

Check if Vulnerable:

Check Ghost version in admin panel or run 'ghost version' command

Check Version:

ghost version

Verify Fix Applied:

Confirm version is v4.42.1 or later and test file upload restrictions

📡 Detection & Monitoring

Log Indicators:

  • Unusual file uploads, especially with executable extensions
  • Multiple failed upload attempts from single user

Network Indicators:

  • HTTP POST requests to upload endpoints with suspicious file names

SIEM Query:

source="ghost.log" AND ("upload" OR "file") AND ("php" OR "exe" OR "sh" OR suspicious_extension)

📊 Metadata

CVE ID: CVE-2022-28397
CVSS v3 Score: 9.8 (CRITICAL)
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
CWE: CWE-434
Published: April 12, 2022
Last Updated: November 21, 2024

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2022-28397, you might also want to check these:

CVE-2024-52490 10.0

This vulnerability allows attackers to upload arbitrary files, including web shells, to Pathomation ...

Same vulnerability type (CWE-434)
CVE-2024-43160 10.0

CVE-2024-43160 is an unauthenticated arbitrary file upload vulnerability in the BerqWP WordPress plu...

Same vulnerability type (CWE-434)
CVE-2024-8940 10.0

CVE-2024-8940 is a critical unrestricted file upload vulnerability in Scriptcase version 9.4.019 tha...

Same vulnerability type (CWE-434)