Pimcore vulnerable to Exposure of Sensitive Information to an Unauthorized Actor · CVE-2023-3819 · GitHub Advisory Database · GitHub

Pimcore vulnerable to Exposure of Sensitive Information to an Unauthorized Actor

High severity GitHub Reviewed Published Jul 21, 2023 in pimcore/pimcore • Updated Nov 5, 2023

Package

pimcore/pimcore (Composer)

Affected versions

< 10.6.4

Patched versions

10.6.4

Description

Impact

Unauthorized users are able to obtain sensitive information about the system's runtime environment, features they have no permissions to access, etc.

Patches

Update to version 10.6.4 or apply this patch manually https://github.com/pimcore/pimcore/commit/0237527b3244d251fa5ecd4912dfe4f8b2125c54.patch

Workarounds

Apply patch https://github.com/pimcore/pimcore/commit/0237527b3244d251fa5ecd4912dfe4f8b2125c54.patch manually.

References

https://huntr.dev/bounties/be5e4d4c-1b0b-4c01-a1fc-00533135817c/

References

dvesh3 published to pimcore/pimcore

Jul 21, 2023

Published by the National Vulnerability Database

Jul 21, 2023

Published to the GitHub Advisory Database Jul 21, 2023

Reviewed Jul 21, 2023

Last updated Nov 5, 2023

Severity

High

7.6

/ 10

CVSS base metrics

Attack vector

Network

Attack complexity

Low

Privileges required

Low

User interaction

None

Scope

Unchanged

Confidentiality

High

Integrity

Low

Availability

Low

CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:L/A:L