CVE-2021-23803: Incorrect Authorization in latte/latte
9.8
Basic Information
Technical Details
Package Name | Ecosystem | Vulnerable Versions | First Patched Version |
---|---|---|---|
latte/latte | composer | < 2.10.6 | 2.10.6 |
Vulnerability Intelligence
Miggo AI
Root Cause Analysis
The vulnerability stems from inadequate input sanitization in the template parser. The Parser::parse method in latte/latte versions <2.10.6 did not remove control characters from the input. Attackers could exploit this by injecting control characters (e.g., system\x00) into function names. The SecurityPolicy's allowFunctions check would see the malformed function name (system\x00), which wasn't explicitly allowed, but the execution environment would interpret it as 'system' (stripping control characters at runtime), bypassing authorization. The GitHub patch explicitly adds control character removal in Parser.php, confirming this root cause. The PoC demonstrates this bypass using control characters to execute unauthorized functions like system().