CVE-2024-41109
📋 TL;DR
This vulnerability in Pimcore's Admin Classic Bundle exposes sensitive system information to authenticated users. By accessing the /admin/index/statistics endpoint, attackers can obtain details about the Pimcore installation, PHP/MySQL versions, installed bundles, and database tables. This affects all Pimcore installations using vulnerable versions of the Admin Classic Bundle.
💻 Affected Systems
- Pimcore Admin Classic Bundle
📦 What is this software?
⚠️ Risk & Real-World Impact
Worst Case
Attackers gain detailed system intelligence for targeted attacks, potentially leading to privilege escalation, database compromise, or exploitation of other vulnerabilities using version-specific exploits.
Likely Case
Information disclosure that enables reconnaissance for further attacks, potentially exposing sensitive configuration details and database structure.
If Mitigated
Limited impact with proper access controls, but still exposes unnecessary system information to authenticated users.
🎯 Exploit Status
Exploitation requires authenticated access to the admin interface. The vulnerability is simple to exploit by navigating to the vulnerable endpoint.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 1.5.2, 1.4.6, or 1.3.10
Vendor Advisory: https://github.com/pimcore/admin-ui-classic-bundle/security/advisories/GHSA-fx6j-9pp6-ph36
Restart Required: No
Instructions:
1. Update Pimcore Admin Classic Bundle to version 1.5.2, 1.4.6, or 1.3.10. 2. Run composer update pimcore/admin-ui-classic-bundle. 3. Clear cache if necessary.
🔧 Temporary Workarounds
Access Control Restriction
allRestrict access to the /admin/index/statistics endpoint using web server configuration or application-level access controls.
# Example for Apache: RewriteRule ^/admin/index/statistics$ - [F]
# Example for Nginx: location ~ ^/admin/index/statistics$ { return 403; }
🧯 If You Can't Patch
- Implement strict access controls to limit which users can access admin endpoints.
- Monitor access logs for requests to /admin/index/statistics and investigate unauthorized access.
🔍 How to Verify
Check if Vulnerable:
Access /admin/index/statistics as an authenticated user. If system information is displayed, the system is vulnerable.Check Version:
composer show pimcore/admin-ui-classic-bundle | grep versionVerify Fix Applied:
After updating, access /admin/index/statistics. The detailed system information should no longer be displayed.📡 Detection & Monitoring
Log Indicators:
- HTTP GET requests to /admin/index/statistics endpoint
- Unusual access patterns to admin statistics
Network Indicators:
- Traffic to /admin/index/statistics endpoint from unusual sources
SIEM Query:
source="web_access_logs" AND uri_path="/admin/index/statistics"🔗 References
- https://github.com/pimcore/admin-ui-classic-bundle/blob/1.x/src/Controller/Admin/IndexController.php#L125C24-L125C40
- https://github.com/pimcore/admin-ui-classic-bundle/commit/afa10bff2f8bfe9c8af7b6b75885bc403f6984f0
- https://github.com/pimcore/admin-ui-classic-bundle/releases/tag/v1.5.2
- https://github.com/pimcore/admin-ui-classic-bundle/security/advisories/GHSA-fx6j-9pp6-ph36
- https://github.com/pimcore/admin-ui-classic-bundle/blob/1.x/src/Controller/Admin/IndexController.php#L125C24-L125C40
- https://github.com/pimcore/admin-ui-classic-bundle/commit/afa10bff2f8bfe9c8af7b6b75885bc403f6984f0
- https://github.com/pimcore/admin-ui-classic-bundle/releases/tag/v1.5.2
- https://github.com/pimcore/admin-ui-classic-bundle/security/advisories/GHSA-fx6j-9pp6-ph36
