CVE-2024-34082 – This vulnerability in Grav CMS allows low-privi... (How to Fix)

Q: What is the severity of CVE-2024-34082?

CVE-2024-34082 has a CVSS score of 8.5 (HIGH). This vulnerability in Grav CMS allows low-privileged users with page edit permissions to read arbitrary server files using Twig syntax, including sensitive user account files containing password hashes, 2FA secrets, and password reset tokens. This can lead to account compromise and full system takeover. All Grav installations with user accounts are affected.

📋 TL;DR

This vulnerability in Grav CMS allows low-privileged users with page edit permissions to read arbitrary server files using Twig syntax, including sensitive user account files containing password hashes, 2FA secrets, and password reset tokens. This can lead to account compromise and full system takeover. All Grav installations with user accounts are affected.

💻 Affected Systems

Products:

Grav CMS

Versions: All versions prior to 1.7.46

Operating Systems: All platforms running Grav

Default Config Vulnerable: ⚠️ Yes

Notes: Requires at least one user account with page edit permissions. The vulnerability exists in the default configuration when such users exist.

📦 What is this software?

Grav by Getgrav

View all CVEs affecting Grav →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete system compromise where an attacker gains administrative access, reads all server files, and takes over all user accounts including administrators.

🟠

Likely Case

Account takeover of regular users and administrators through password hash cracking or password reset token theft, potentially leading to data exfiltration.

🟢

If Mitigated

Limited impact if proper access controls and monitoring are in place, but still significant risk due to file read capability.

🌐 Internet-Facing: HIGH - Web applications are typically internet-facing, and this vulnerability requires only low-privilege access.

🏢 Internal Only: HIGH - Even internal applications are at risk from insider threats or compromised low-privilege accounts.

🎯 Exploit Status

Public PoC: ⚠️ Yes

Weaponized: LIKELY

Unauthenticated Exploit: ✅ No

Complexity: LOW

Exploitation requires authenticated low-privilege access but is straightforward using Twig syntax. Public proof-of-concept exists in advisory references.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 1.7.46

Vendor Advisory: https://github.com/getgrav/grav/security/advisories/GHSA-f8v5-jmfh-pr69

Restart Required: No

Instructions:

1. Backup your Grav installation. 2. Update Grav to version 1.7.46 or later via composer (composer update getgrav/grav) or manual download. 3. Clear cache if needed. 4. Verify the update was successful.

🔧 Temporary Workarounds

Restrict Page Edit Permissions

all

Temporarily remove page edit permissions from all non-administrative users until patching is complete.

Edit user account YAML files to remove 'pages: edit' permissions

File System Restrictions

linux

Implement strict file system permissions to limit web server access to sensitive directories.

chmod 600 /grav/user/accounts/*.yaml
chown root:root /grav/user/accounts/*.yaml

🧯 If You Can't Patch

Immediately audit and restrict all user accounts with page edit permissions to trusted administrators only.
Implement strict monitoring of user account YAML files for unauthorized access attempts and review audit logs daily.

🔍 How to Verify

Check if Vulnerable:

Check Grav version in admin panel or via CLI: php bin/grav version. If version is below 1.7.46, you are vulnerable.

Check Version:

php bin/grav version

Verify Fix Applied:

Confirm version is 1.7.46 or higher: php bin/grav version. Test that low-privilege users cannot access sensitive files via page editing.

📡 Detection & Monitoring

Log Indicators:

Unusual file access patterns in web server logs
Multiple failed authentication attempts followed by successful login from new locations
Suspicious Twig syntax in page edit requests

Network Indicators:

Unusual outbound traffic patterns after user login
Multiple password reset requests for different accounts

SIEM Query:

source="web_server_logs" AND (uri CONTAINS "/admin/pages" OR uri CONTAINS "twig") AND (response_code=200 OR response_code=302) AND user_agent NOT IN ["expected_user_agents"]

📊 Metadata

CVE ID: CVE-2024-34082

CVSS v3 Score: 8.5 (HIGH)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:L

CWE: CWE-269

Published: May 15, 2024

Last Updated: January 2, 2025

🔗 References

https://github.com/getgrav/grav/commit/b6bba9eb99bf8cb55b8fa8d23f18873ca594e348 Patch
https://github.com/getgrav/grav/security/advisories/GHSA-f8v5-jmfh-pr69 Exploit,Vendor Advisory
https://github.com/getgrav/grav/commit/b6bba9eb99bf8cb55b8fa8d23f18873ca594e348 Patch
https://github.com/getgrav/grav/security/advisories/GHSA-f8v5-jmfh-pr69 Exploit,Vendor Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2024-34082, you might also want to check these: