This repository has been archived by the owner on Mar 1, 2023. It is now read-only.
-
-
Notifications
You must be signed in to change notification settings - Fork 1
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
Automatically updated on Fri, 11 Jun 2021 05:00:39 GMT
- Loading branch information
Showing
3 changed files
with
4 additions
and
4 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -1,2 +1,2 @@ | ||
| /* | ||
| Last-Modified: Wed, 09 Jun 2021 05:00:35 GMT | ||
| Last-Modified: Fri, 11 Jun 2021 05:00:39 GMT |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -1 +1 @@ | ||
| 135bd28508a92b32b675d6f1f161358e3e8ee2db811 | ||
| 136bd28508a92b32b675d6f1f161358e3e8ee2db811 |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
|
|
@@ -9783,14 +9783,14 @@ | |
| }, | ||
| "getgrav/grav": { | ||
| "CVE-2021-29440": { | ||
| "title": "### Impact\n\nTwig processing of static pages can be enabled in the front matter by any administrative user allowed to create or edit pages. \nAs the Twig processor runs unsandboxed, this behavior can be used to gain arbitrary code execution and elevate privileges on the instance.\n\n### Patches\n\nThe issue was addressed by preventing dangerous functions from being called in Twig templates. A configuration option has been added to manually allow arbitrary PHP functions (`system.twig.safe_functions`) and filters (`system.twig.safe_filters`). \n\nFutures major versions of Grav may disable this functionality by default. \n\n### Workarounds\n\nBlocking access to the `/admin` path from untrusted sources will reduce the probability of exploitation. ", | ||
| "title": "### Impact\n\nTwig processing of static pages can be enabled in the front matter by any administrative user allowed to create or edit pages. \nAs the Twig processor runs unsandboxed, this behavior can be used to gain arbitrary code execution and elevate privileges on the instance.\n\n### Patches\n\nThe issue was addressed by preventing dangerous functions from being called in Twig templates. A configuration option has been added to manually allow arbitrary PHP functions (`system.twig.safe_functions`) and filters (`system.twig.safe_filters`). \n\nFutures major versions of Grav may disable this functionality by default. \n\n### Workarounds\n\nBlocking access to the `/admin` path from untrusted sources will reduce the probability of exploitation. \n\n### References\n\n- https://portswigger.net/research/server-side-template-injection\n- _Upcoming technical article on https://blog.sonarsource.com/tag/security_\n\n### For more information\n\nIf you have any questions or comments about this advisory, you can contact:\n - The original reporters, by sending an email to [[email protected]](mailto:[email protected]);\n - The maintainers, by opening an issue on this repository.", | ||
| "link": "https://github.com/advisories/GHSA-g8r4-p96j-xfxc", | ||
| "cve": "CVE-2021-29440", | ||
| "branches": { | ||
| "1.7.x": { | ||
| "time": 1618602792, | ||
| "versions": [ | ||
| "< 1.7.11" | ||
| "<= 1.7.10" | ||
| ] | ||
| } | ||
| }, | ||
|
|
||