CVE-2021-22966

Privilege escalation from Editor to Admin using Groups in Concrete CMS versions 8.5.6 and below. If a group is granted "view" permissions on the bulkupdate page, then users in that group can escalate to being an administrator with a specially crafted curl. Fixed by adding a check for group permissions before allowing a group to be moved. Concrete CMS Security team CVSS scoring: 7.1 AV:N/AC:H/PR:L/UI:R/S:U/C:H/I:H/A:HCredit for discovery: "Adrian Tiron from FORTBRIDGE ( https://www.fortbridge.co.uk/ )"This fix is also in Concrete version 9.0.0

CVSS v3 8.8 HIGH
CVSS v2.0 6.5 MEDIUM

8.8^/10

CVSS v3 : HIGH

Vector :

Exploitability : 2.8 / Impact : 5.9

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required LOW

User Interaction NONE

Confidentiality Impact HIGH

Integrity Impact HIGH

Availability Impact HIGH

Scope UNCHANGED

6.5^/10

CVSS v2.0 : MEDIUM

Vector : AV:N/AC:L/Au:S/C:P/I:P/A:P

Exploitability : 8.0 / Impact : 6.4

Access Vector NETWORK

Access Complexity LOW

Authentication SINGLE

Confidentiality Impact PARTIAL

Integrity Impact PARTIAL

Availability Impact PARTIAL

References

Link	Resource
https://documentation.concretecms.org/developers/introduction/version-history/857-release-notes	Release Notes Vendor Advisory
https://hackerone.com/reports/1362747	Permissions Required

Configurations

Configuration 1 (hide)

cpe:2.3:a:concretecms:concrete_cms:*:*:*:*:*:*:*:*

History

12 Jul 2022, 17:42

Type	Values Removed	Values Added
CWE	~~CWE-269~~	CWE-863

23 Nov 2021, 13:19

Type	Values Removed	Values Added
CVSS	v2 : ~~unknown~~ v3 : ~~unknown~~	v2 : 6.5 v3 : 8.8
CPE		cpe:2.3:a:concretecms:concrete_cms::::::::
CWE		CWE-269
References	~~(MISC) https://hackerone.com/reports/1362747 -~~	(MISC) https://hackerone.com/reports/1362747 - Permissions Required
References	~~(MISC) https://documentation.concretecms.org/developers/introduction/version-history/857-release-notes -~~	(MISC) https://documentation.concretecms.org/developers/introduction/version-history/857-release-notes - Release Notes, Vendor Advisory

19 Nov 2021, 19:15

Type	Values Removed	Values Added
New CVE

Information

Published : 2021-11-19 19:15

Updated : 2023-12-10 14:09

NVD link : CVE-2021-22966

Mitre link : CVE-2021-22966

CVE.ORG link : CVE-2021-22966

JSON object : View

Products Affected

concretecms

concrete_cms

CWE

CWE-863

Incorrect Authorization

{"id": "CVE-2021-22966", "metrics": {"cvssMetricV2": [{"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"version": "2.0", "baseScore": 6.5, "accessVector": "NETWORK", "vectorString": "AV:N/AC:L/Au:S/C:P/I:P/A:P", "authentication": "SINGLE", "integrityImpact": "PARTIAL", "accessComplexity": "LOW", "availabilityImpact": "PARTIAL", "confidentialityImpact": "PARTIAL"}, "acInsufInfo": false, "impactScore": 6.4, "baseSeverity": "MEDIUM", "obtainAllPrivilege": false, "exploitabilityScore": 8.0, "obtainUserPrivilege": false, "obtainOtherPrivilege": false, "userInteractionRequired": false}], "cvssMetricV31": [{"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 8.8, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "LOW", "confidentialityImpact": "HIGH"}, "impactScore": 5.9, "exploitabilityScore": 2.8}]}, "published": "2021-11-19T19:15:08.327", "references": [{"url": "https://documentation.concretecms.org/developers/introduction/version-history/857-release-notes", "tags": ["Release Notes", "Vendor Advisory"], "source": "support@hackerone.com"}, {"url": "https://hackerone.com/reports/1362747", "tags": ["Permissions Required"], "source": "support@hackerone.com"}], "vulnStatus": "Analyzed", "weaknesses": [{"type": "Primary", "source": "nvd@nist.gov", "description": [{"lang": "en", "value": "CWE-863"}]}], "descriptions": [{"lang": "en", "value": "Privilege escalation from Editor to Admin using Groups in Concrete CMS versions 8.5.6 and below. If a group is granted \"view\" permissions on the bulkupdate page, then users in that group can escalate to being an administrator with a specially crafted curl. Fixed by adding a check for group permissions before allowing a group to be moved. Concrete CMS Security team CVSS scoring: 7.1 AV:N/AC:H/PR:L/UI:R/S:U/C:H/I:H/A:HCredit for discovery: \"Adrian Tiron from FORTBRIDGE ( https://www.fortbridge.co.uk/ )\"This fix is also in Concrete version 9.0.0"}, {"lang": "es", "value": "Una escalada de privilegios de Editor a Administrador usando Grupos en Concrete CMS versiones 8.5.6 e inferiores. Si a un grupo le es concedido permisos \"view\" en la p\u00e1gina de bulkupdate, entonces usuarios de ese grupo pueden escalar a ser un administrador con un curl especialmente dise\u00f1ado. Ha sido corregido a\u00f1adiendo una comprobaci\u00f3n de los permisos de grupo antes de permitir que sea movido un grupo. Puntuaci\u00f3n CVSS del equipo de seguridad de CMS concreto: 7.1 AV:N/AC:H/PR:L/UI:R/S:U/C:H/I:H/A:HCredit for discovery: \"Adrian Tiron de FORTBRIDGE ( https://www.fortbridge.co.uk/ ) \"Esta correcci\u00f3n tambi\u00e9n est\u00e1 en Concrete versi\u00f3n 9.0.0"}], "lastModified": "2022-07-12T17:42:04.277", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:a:concretecms:concrete_cms:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "2B7FD65C-EFA6-40A6-9698-FFEDD4846EE1", "versionEndExcluding": "8.5.7"}], "operator": "OR"}]}], "sourceIdentifier": "support@hackerone.com"}