CVE-2021-21355

{"id": "CVE-2021-21355", "metrics": {"cvssMetricV2": [{"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"version": "2.0", "baseScore": 7.5, "accessVector": "NETWORK", "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "authentication": "NONE", "integrityImpact": "PARTIAL", "accessComplexity": "LOW", "availabilityImpact": "PARTIAL", "confidentialityImpact": "PARTIAL"}, "acInsufInfo": false, "impactScore": 6.4, "baseSeverity": "HIGH", "obtainAllPrivilege": false, "exploitabilityScore": 10.0, "obtainUserPrivilege": false, "obtainOtherPrivilege": false, "userInteractionRequired": false}], "cvssMetricV31": [{"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 8.6, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:H/A:L", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "LOW", "privilegesRequired": "NONE", "confidentialityImpact": "LOW"}, "impactScore": 4.7, "exploitabilityScore": 3.9}, {"type": "Secondary", "source": "security-advisories@github.com", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 8.6, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:H/A:L", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "LOW", "privilegesRequired": "NONE", "confidentialityImpact": "LOW"}, "impactScore": 4.7, "exploitabilityScore": 3.9}]}, "published": "2021-03-23T02:15:12.627", "references": [{"url": "https://github.com/TYPO3/TYPO3.CMS/security/advisories/GHSA-2r6j-862c-m2v2", "tags": ["Third Party Advisory"], "source": "security-advisories@github.com"}, {"url": "https://packagist.org/packages/typo3/cms-form", "tags": ["Release Notes", "Third Party Advisory"], "source": "security-advisories@github.com"}, {"url": "https://typo3.org/security/advisory/typo3-core-sa-2021-002", "tags": ["Vendor Advisory"], "source": "security-advisories@github.com"}], "vulnStatus": "Analyzed", "weaknesses": [{"type": "Primary", "source": "security-advisories@github.com", "description": [{"lang": "en", "value": "CWE-434"}, {"lang": "en", "value": "CWE-552"}]}], "descriptions": [{"lang": "en", "value": "TYPO3 is an open source PHP based web content management system. In TYPO3 before versions 8.7.40, 9.5.25, 10.4.14, 11.1.1, due to the lack of ensuring file extensions belong to configured allowed mime-types, attackers can upload arbitrary data with arbitrary file extensions - however, default _fileDenyPattern_ successfully blocked files like _.htaccess_ or _malicious.php_. Besides that, _UploadedFileReferenceConverter_ transforming uploaded files into proper FileReference domain model objects handles possible file uploads for other extensions as well - given those extensions use the Extbase MVC framework, make use of FileReference items in their direct or inherited domain model definitions and did not implement their own type converter. In case this scenario applies, _UploadedFileReferenceConverter_ accepts any file mime-type and persists files in the default location. In any way, uploaded files are placed in the default location _/fileadmin/user_upload/_, in most scenarios keeping the submitted filename - which allows attackers to directly reference files, or even correctly guess filenames used by other individuals, disclosing this information. No authentication is required to exploit this vulnerability. This is fixed in versions 8.7.40, 9.5.25, 10.4.14, 11.1.1."}, {"lang": "es", "value": "TYPO3 es un sistema de gesti\u00f3n de contenidos web de c\u00f3digo abierto basado en PHP. En TYPO3 versiones anteriores a la 8.7.40, 9.5.25, 10.4.14, 11.1.1, debido a la falta de garant\u00eda de que las extensiones de archivo pertenecen a los tipos mime permitidos configurados, los atacantes pueden subir datos arbitrarios con extensiones de archivo arbitrarias - sin embargo, _fileDenyPattern_ por defecto bloquea con \u00e9xito archivos como _.htaccess_ o _malicious.php_. Adem\u00e1s de eso, _UploadedFileReferenceConverter_ transforma los archivos subidos en objetos de modelo de dominio FileReference apropiados y maneja posibles subidas de archivos para otras extensiones tambi\u00e9n - dado que esas extensiones usan el marco MVC de Extbase, hacen uso de elementos FileReference en sus definiciones de modelo de dominio directas o heredadas y no implementaron su propio convertidor de tipos. En caso de que este escenario se aplique, _UploadedFileReferenceConverter_ acepta cualquier tipo mime de archivo y persigue los archivos en la ubicaci\u00f3n predeterminada. De cualquier manera, los archivos subidos se colocan en la ubicaci\u00f3n por defecto _/fileadmin/user_upload/_, en la mayor\u00eda de los escenarios manteniendo el nombre del archivo enviado - lo que permite a los atacantes referenciar directamente los archivos, o incluso adivinar correctamente los nombres de los archivos utilizados por otras personas, revelando esta informaci\u00f3n. No se requiere autenticaci\u00f3n para explotar esta vulnerabilidad. Esto est\u00e1 corregido en las versiones 8.7.40, 9.5.25, 10.4.14, 11.1.1"}], "lastModified": "2021-03-26T18:47:32.113", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:a:typo3:typo3:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "F10B90F0-DA5C-4A80-BD4F-124B6C82CE8B", "versionEndExcluding": "8.7.40", "versionStartIncluding": "8.0.0"}, {"criteria": "cpe:2.3:a:typo3:typo3:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "8CB3125B-114D-4991-BD60-9535D97DD348", "versionEndExcluding": "9.5.25", "versionStartIncluding": "9.0.0"}, {"criteria": "cpe:2.3:a:typo3:typo3:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "C031A87F-5A82-48F8-AB02-FED0CDFE08A2", "versionEndExcluding": "10.4.14", "versionStartIncluding": "10.0.0"}, {"criteria": "cpe:2.3:a:typo3:typo3:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "F696292E-3CC6-416B-9F99-6C1287B1D78D", "versionEndExcluding": "11.1.1", "versionStartIncluding": "11.0.0"}], "operator": "OR"}]}], "sourceIdentifier": "security-advisories@github.com"}