Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[GHSA-gmff-vcv6-mmfr] Update Confidentiality (C) from High (H) to Low (L) #5196

Open
wants to merge 1 commit into
base: anonymous-nlp-student/advisory-improvement-5196
Choose a base branch
from
Open

[GHSA-gmff-vcv6-mmfr] Update Confidentiality (C) from High (H) to Low (L) #5196

wants to merge 1 commit into from

Conversation

anonymous-nlp-student
Copy link

Summary

The Confidentiality (C) rating for CVE-2018-14057 / GHSA-gmff-vcv6-mmfr should be revised from High to Low. The described CSRF vulnerability allows attackers to access restricted information but does not grant them (1) full control over the data or (2) the ability to steal highly sensitive information.

GHSA Description

Pimcore before 5.3.0 allows remote attackers to conduct cross-site request forgery (CSRF) attacks by leveraging validation of the X-pimcore-csrf-token anti-CSRF token only in the "Settings > Users / Roles" function.

CVSS 3.x Specification

Metric Value Description
High (H) There is a total loss of confidentiality, resulting in all resources within the impacted component being divulged to the attacker. Alternatively, access to only some restricted information is obtained, but the disclosed information presents a direct, serious impact. For example, an attacker steals the administrator's password, or private encryption keys of a web server.
Low (L) There is some loss of confidentiality. Access to some restricted information is obtained, but the attacker does not have control over what information is obtained, or the amount or kind of loss is limited. The information disclosure does not cause a direct, serious loss to the impacted component.
None (N) There is no loss of confidentiality within the impacted component.

Supporting Examples

The following CVEs that describe the same pimcore/pimcore software have all rated C:L:

  • CVE-2022-0704 (CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N)

    Pimcore 10.3.3 and prior is vulnerable to stored cross-site scripting. A patch is available on the 10.x branch and will likely be part of version 10.4.0.

  • CVE-2022-0832 (CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N)

    Pimcore version 10.3.2 and prior is vulnerable to stored cross-site scripting. A patch is available and anticipated to be part of version 10.3.3.

  • CVE-2022-0831 (CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N)

    Pimcore version 10.3.2 and prior is vulnerable to stored cross-site scripting. A patch is available and anticipated to be part of version 10.3.3.

@github-actions github-actions bot changed the base branch from main to anonymous-nlp-student/advisory-improvement-5196 January 18, 2025 16:20
@JonathanLEvans
Copy link

Hi @anonymous-nlp-student, just because the vulnerability affects the same product does not mean it will have the same impact as other vulnerabilities in the product.

@anonymous-nlp-student
Copy link
Author

@JonathanLEvans Thank you for your reply! While I understand that vulnerabilities in the same product can vary in impact, the current evidence for CVE-2018-14057 does not support a High (H) confidentiality rating. The described CSRF vulnerability affects the “Settings > Users / Roles” function and allows limited access to restricted information without enabling a total loss of confidentiality or disclosure of highly sensitive data, such as administrator passwords or encryption keys.

Additionally, related CVEs for the same pimcore/pimcore software, such as CVE-2022-0704, CVE-2022-0832, and CVE-2022-0831, all involve similar impacts and are consistently rated with a Low (L) confidentiality impact. This discrepancy raises concerns about consistency CVSS definitions, where Low (L) applies to limited and non-critical disclosures, aligning with the description of CVE-2018-14057.

Unless there is additional evidence of a broader or more serious impact, I respectfully suggest revising the confidentiality rating to Low (L) for accuracy.

@JonathanLEvans
Copy link

The described CSRF vulnerability affects the “Settings > Users / Roles” function and allows limited access to restricted information without enabling a total loss of confidentiality or disclosure of highly sensitive data, such as administrator passwords or encryption keys.

This is not correct. The CVE description says that anti-CSRF validation is only performed on the “Settings > Users / Roles” functions or, in other words, CSRF attacks work on all Pimcore functionality other than the “Settings > Users / Roles” functions.

That being said, if the CSRF attack could affect the “Settings > Users / Roles” functions, High would still be appropriate for Confidentiality because the attacker could create an administrator account that would have access to all the information in Pimcore.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
2 participants
@anonymous-nlp-student @JonathanLEvans