8.6

CVSS Score

Basic Information

CVE ID

CVE-2021-43836

GHSA ID

GHSA-vx6j-pjrh-vgjh

EPSS Score

CWE

CWE-22

Published

12/15/2021

Updated

2/1/2023

KEV Status

Technology

PHP

Concerned about an active attack path?

Talk to our security experts and see Miggo in action.

Miggo Vulnerability Database

→

CVE-2021-43836

CVE-2021-43836:
PHP file inclusion in the Sulu admin panel

Impact

What kind of vulnerability is it? Who is impacted?

An attacker can read arbitrary local files via a PHP file include. In a default configuration this also leads to remote code execution.

Compromised components: Arbitrary file read on the server, (Potential) Remote code execution
Exploitation pre-requisite: User account on the backend

Patches

Has the problem been patched? What versions should users upgrade to?

The problem is patched with the Versions 1.6.44, 2.2.18, 2.3.8, 2.4.0

Workarounds

Is there a way for users to fix or remediate the vulnerability without upgrading?

Overwrite the service sulu_route.generator.expression_token_provider and wrap the translator before passing it to the expression language.

References

Are there any links users can visit to find out more?

Currently not.

For more information

If you have any questions or comments about this advisory:

Open an issue in example link to repo
Email us at example email address

(GitHub Advisory)

8.6

CVSS Score

Basic Information

CVE ID

CVE-2021-43836

GHSA ID

GHSA-vx6j-pjrh-vgjh

EPSS Score

CWE

CWE-22

Published

12/15/2021

Updated

2/1/2023

KEV Status

Technology

PHP

Technical Details

CVSS Vector

CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:H

Package Name	Ecosystem	Vulnerable Versions	First Patched Version
sulu/sulu	composer	< 1.6.44	1.6.44
sulu/sulu	composer	>= 2.0.0, < 2.2.18	2.2.18
sulu/sulu	composer	>= 2.3.0, < 2.3.8	2.3.8
sulu/sulu	composer	= 2.4.0-RC1	2.4.0

Vulnerability Intelligence
Miggo AI

Root Cause Analysis

The vulnerability stems from the ExpressionLanguage evaluator having access to an unrestricted TranslatorInterface. The patch wraps the translator with a security proxy (TranslatorWrapper) that blocks setLocale and implicitly prevents addResource() calls. The test case explicitly shows attempts to exploit translator.addResource() were blocked post-patch. The root cause is the direct exposure of the translator to expression evaluation, which allowed path traversal via file inclusion methods in the Translator component.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

### Imp**t _W**t kin* o* vuln*r**ility is it? W*o is imp**t**?_ *n *tt**k*r **n r*** *r*itr*ry lo**l *il*s vi* * P*P *il* in*lu**. In * ****ult *on*i*ur*tion t*is *lso l***s to r*mot* *o** *x**ution. * *ompromis** *ompon*nts: *r*itr*ry *il* r*** on

Reasoning

T** vuln*r**ility st*ms *rom t** *xpr*ssionL*n*u*** *v*lu*tor **vin* ****ss to *n unr*stri*t** Tr*nsl*torInt*r****. T** p*t** wr*ps t** tr*nsl*tor wit* * s**urity proxy (Tr*nsl*torWr*pp*r) t**t *lo*ks s*tLo**l* *n* impli*itly pr*v*nts ***R*sour**() *

8.6

Basic Information

Concerned about an active attack path?

CVE-2021-43836: PHP file inclusion in the Sulu admin panel

Impact

Patches

Workarounds

References

For more information

8.6

Basic Information

Technical Details

Vulnerability IntelligenceMiggo AI

Root Cause Analysis

Vulnerable functions

WAF Protection Rules

WAF Rule

Reasoning

CVE-2021-43836:
PHP file inclusion in the Sulu admin panel

Vulnerability Intelligence
Miggo AI