Vulnerability-Lookup

CVE-2020-5256 (GCVE-0-2020-5256)

Vulnerability from cvelistv5 – Published: 2020-03-09 15:50 – Updated: 2024-08-04 08:22

Title

Remote Code Execution Through Image Uploads in BookStack

Summary

BookStack before version 0.25.5 has a vulnerability where a user could upload PHP files through image upload functions, which would allow them to execute code on the host system remotely. They would then have the permissions of the PHP process. This most impacts scenarios where non-trusted users are given permission to upload images in any area of the application. The issue was addressed in a series of patches in versions 0.25.3, 0.25.4 and 0.25.5. Users should upgrade to at least v0.25.5 to avoid this vulnerability.

Severity ?

7.9 (High)


                        
                          CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:C/C:H/I:H/A:L

CWE

CWE-95 - Improper Neutralization of Directives in Dynamically Evaluated Code ('Eval Injection')

Assigner

GitHub_M

References

URL

Tags

	https://github.com/BookStackApp/BookStack/securit…	x_refsource_CONFIRM
	https://github.com/BookStackApp/BookStack/release…	x_refsource_MISC
	https://github.com/BookStackApp/BookStack/release…	x_refsource_MISC
	https://github.com/BookStackApp/BookStack/release…	x_refsource_MISC

Impacted products

	Vendor	Product	Version
	BookStackApp	BookStack	Affected: < 0.25.5

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "providerMetadata": {
          "dateUpdated": "2024-08-04T08:22:09.083Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "tags": [
              "x_refsource_CONFIRM",
              "x_transferred"
            ],
            "url": "https://github.com/BookStackApp/BookStack/security/advisories/GHSA-g9rq-x4fj-f5hx"
          },
          {
            "tags": [
              "x_refsource_MISC",
              "x_transferred"
            ],
            "url": "https://github.com/BookStackApp/BookStack/releases/tag/v0.25.3"
          },
          {
            "tags": [
              "x_refsource_MISC",
              "x_transferred"
            ],
            "url": "https://github.com/BookStackApp/BookStack/releases/tag/v0.25.4"
          },
          {
            "tags": [
              "x_refsource_MISC",
              "x_transferred"
            ],
            "url": "https://github.com/BookStackApp/BookStack/releases/tag/v0.25.5"
          }
        ],
        "title": "CVE Program Container"
      }
    ],
    "cna": {
      "affected": [
        {
          "product": "BookStack",
          "vendor": "BookStackApp",
          "versions": [
            {
              "status": "affected",
              "version": "\u003c 0.25.5"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "BookStack before version 0.25.5 has a vulnerability where a user could upload PHP files through image upload functions, which would allow them to execute code on the host system remotely. They would then have the permissions of the PHP process. This most impacts scenarios where non-trusted users are given permission to upload images in any area of the application. The issue was addressed in a series of patches in versions 0.25.3, 0.25.4 and 0.25.5. Users should upgrade to at least v0.25.5 to avoid this vulnerability."
        }
      ],
      "metrics": [
        {
          "cvssV3_1": {
            "attackComplexity": "HIGH",
            "attackVector": "NETWORK",
            "availabilityImpact": "LOW",
            "baseScore": 7.9,
            "baseSeverity": "HIGH",
            "confidentialityImpact": "HIGH",
            "integrityImpact": "HIGH",
            "privilegesRequired": "LOW",
            "scope": "CHANGED",
            "userInteraction": "REQUIRED",
            "vectorString": "CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:C/C:H/I:H/A:L",
            "version": "3.1"
          }
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-95",
              "description": "CWE-95: Improper Neutralization of Directives in Dynamically Evaluated Code (\u0027Eval Injection\u0027)",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2020-03-09T15:50:22.000Z",
        "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
        "shortName": "GitHub_M"
      },
      "references": [
        {
          "tags": [
            "x_refsource_CONFIRM"
          ],
          "url": "https://github.com/BookStackApp/BookStack/security/advisories/GHSA-g9rq-x4fj-f5hx"
        },
        {
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://github.com/BookStackApp/BookStack/releases/tag/v0.25.3"
        },
        {
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://github.com/BookStackApp/BookStack/releases/tag/v0.25.4"
        },
        {
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://github.com/BookStackApp/BookStack/releases/tag/v0.25.5"
        }
      ],
      "source": {
        "advisory": "GHSA-g9rq-x4fj-f5hx",
        "discovery": "UNKNOWN"
      },
      "title": "Remote Code Execution Through Image Uploads in BookStack",
      "x_legacyV4Record": {
        "CVE_data_meta": {
          "ASSIGNER": "security-advisories@github.com",
          "ID": "CVE-2020-5256",
          "STATE": "PUBLIC",
          "TITLE": "Remote Code Execution Through Image Uploads in BookStack"
        },
        "affects": {
          "vendor": {
            "vendor_data": [
              {
                "product": {
                  "product_data": [
                    {
                      "product_name": "BookStack",
                      "version": {
                        "version_data": [
                          {
                            "version_value": "\u003c 0.25.5"
                          }
                        ]
                      }
                    }
                  ]
                },
                "vendor_name": "BookStackApp"
              }
            ]
          }
        },
        "data_format": "MITRE",
        "data_type": "CVE",
        "data_version": "4.0",
        "description": {
          "description_data": [
            {
              "lang": "eng",
              "value": "BookStack before version 0.25.5 has a vulnerability where a user could upload PHP files through image upload functions, which would allow them to execute code on the host system remotely. They would then have the permissions of the PHP process. This most impacts scenarios where non-trusted users are given permission to upload images in any area of the application. The issue was addressed in a series of patches in versions 0.25.3, 0.25.4 and 0.25.5. Users should upgrade to at least v0.25.5 to avoid this vulnerability."
            }
          ]
        },
        "impact": {
          "cvss": {
            "attackComplexity": "HIGH",
            "attackVector": "NETWORK",
            "availabilityImpact": "LOW",
            "baseScore": 7.9,
            "baseSeverity": "HIGH",
            "confidentialityImpact": "HIGH",
            "integrityImpact": "HIGH",
            "privilegesRequired": "LOW",
            "scope": "CHANGED",
            "userInteraction": "REQUIRED",
            "vectorString": "CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:C/C:H/I:H/A:L",
            "version": "3.1"
          }
        },
        "problemtype": {
          "problemtype_data": [
            {
              "description": [
                {
                  "lang": "eng",
                  "value": "CWE-95: Improper Neutralization of Directives in Dynamically Evaluated Code (\u0027Eval Injection\u0027)"
                }
              ]
            }
          ]
        },
        "references": {
          "reference_data": [
            {
              "name": "https://github.com/BookStackApp/BookStack/security/advisories/GHSA-g9rq-x4fj-f5hx",
              "refsource": "CONFIRM",
              "url": "https://github.com/BookStackApp/BookStack/security/advisories/GHSA-g9rq-x4fj-f5hx"
            },
            {
              "name": "https://github.com/BookStackApp/BookStack/releases/tag/v0.25.3",
              "refsource": "MISC",
              "url": "https://github.com/BookStackApp/BookStack/releases/tag/v0.25.3"
            },
            {
              "name": "https://github.com/BookStackApp/BookStack/releases/tag/v0.25.4",
              "refsource": "MISC",
              "url": "https://github.com/BookStackApp/BookStack/releases/tag/v0.25.4"
            },
            {
              "name": "https://github.com/BookStackApp/BookStack/releases/tag/v0.25.5",
              "refsource": "MISC",
              "url": "https://github.com/BookStackApp/BookStack/releases/tag/v0.25.5"
            }
          ]
        },
        "source": {
          "advisory": "GHSA-g9rq-x4fj-f5hx",
          "discovery": "UNKNOWN"
        }
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
    "assignerShortName": "GitHub_M",
    "cveId": "CVE-2020-5256",
    "datePublished": "2020-03-09T15:50:22.000Z",
    "dateReserved": "2020-01-02T00:00:00.000Z",
    "dateUpdated": "2024-08-04T08:22:09.083Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1"
}

GSD-2020-5256

Vulnerability from gsd - Updated: 2023-12-13 01:22

Details

Aliases

CVE-2020-5256

Aliases

CVE-2020-5256

JSON

To clipboard

{
  "GSD": {
    "alias": "CVE-2020-5256",
    "description": "BookStack before version 0.25.5 has a vulnerability where a user could upload PHP files through image upload functions, which would allow them to execute code on the host system remotely. They would then have the permissions of the PHP process. This most impacts scenarios where non-trusted users are given permission to upload images in any area of the application. The issue was addressed in a series of patches in versions 0.25.3, 0.25.4 and 0.25.5. Users should upgrade to at least v0.25.5 to avoid this vulnerability.",
    "id": "GSD-2020-5256"
  },
  "gsd": {
    "metadata": {
      "exploitCode": "unknown",
      "remediation": "unknown",
      "reportConfidence": "confirmed",
      "type": "vulnerability"
    },
    "osvSchema": {
      "aliases": [
        "CVE-2020-5256"
      ],
      "details": "BookStack before version 0.25.5 has a vulnerability where a user could upload PHP files through image upload functions, which would allow them to execute code on the host system remotely. They would then have the permissions of the PHP process. This most impacts scenarios where non-trusted users are given permission to upload images in any area of the application. The issue was addressed in a series of patches in versions 0.25.3, 0.25.4 and 0.25.5. Users should upgrade to at least v0.25.5 to avoid this vulnerability.",
      "id": "GSD-2020-5256",
      "modified": "2023-12-13T01:22:03.677192Z",
      "schema_version": "1.4.0"
    }
  },
  "namespaces": {
    "cve.org": {
      "CVE_data_meta": {
        "ASSIGNER": "security-advisories@github.com",
        "ID": "CVE-2020-5256",
        "STATE": "PUBLIC",
        "TITLE": "Remote Code Execution Through Image Uploads in BookStack"
      },
      "affects": {
        "vendor": {
          "vendor_data": [
            {
              "product": {
                "product_data": [
                  {
                    "product_name": "BookStack",
                    "version": {
                      "version_data": [
                        {
                          "version_value": "\u003c 0.25.5"
                        }
                      ]
                    }
                  }
                ]
              },
              "vendor_name": "BookStackApp"
            }
          ]
        }
      },
      "data_format": "MITRE",
      "data_type": "CVE",
      "data_version": "4.0",
      "description": {
        "description_data": [
          {
            "lang": "eng",
            "value": "BookStack before version 0.25.5 has a vulnerability where a user could upload PHP files through image upload functions, which would allow them to execute code on the host system remotely. They would then have the permissions of the PHP process. This most impacts scenarios where non-trusted users are given permission to upload images in any area of the application. The issue was addressed in a series of patches in versions 0.25.3, 0.25.4 and 0.25.5. Users should upgrade to at least v0.25.5 to avoid this vulnerability."
          }
        ]
      },
      "impact": {
        "cvss": {
          "attackComplexity": "HIGH",
          "attackVector": "NETWORK",
          "availabilityImpact": "LOW",
          "baseScore": 7.9,
          "baseSeverity": "HIGH",
          "confidentialityImpact": "HIGH",
          "integrityImpact": "HIGH",
          "privilegesRequired": "LOW",
          "scope": "CHANGED",
          "userInteraction": "REQUIRED",
          "vectorString": "CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:C/C:H/I:H/A:L",
          "version": "3.1"
        }
      },
      "problemtype": {
        "problemtype_data": [
          {
            "description": [
              {
                "lang": "eng",
                "value": "CWE-95: Improper Neutralization of Directives in Dynamically Evaluated Code (\u0027Eval Injection\u0027)"
              }
            ]
          }
        ]
      },
      "references": {
        "reference_data": [
          {
            "name": "https://github.com/BookStackApp/BookStack/security/advisories/GHSA-g9rq-x4fj-f5hx",
            "refsource": "CONFIRM",
            "url": "https://github.com/BookStackApp/BookStack/security/advisories/GHSA-g9rq-x4fj-f5hx"
          },
          {
            "name": "https://github.com/BookStackApp/BookStack/releases/tag/v0.25.3",
            "refsource": "MISC",
            "url": "https://github.com/BookStackApp/BookStack/releases/tag/v0.25.3"
          },
          {
            "name": "https://github.com/BookStackApp/BookStack/releases/tag/v0.25.4",
            "refsource": "MISC",
            "url": "https://github.com/BookStackApp/BookStack/releases/tag/v0.25.4"
          },
          {
            "name": "https://github.com/BookStackApp/BookStack/releases/tag/v0.25.5",
            "refsource": "MISC",
            "url": "https://github.com/BookStackApp/BookStack/releases/tag/v0.25.5"
          }
        ]
      },
      "source": {
        "advisory": "GHSA-g9rq-x4fj-f5hx",
        "discovery": "UNKNOWN"
      }
    },
    "gitlab.com": {
      "advisories": [
        {
          "affected_range": "\u003c0.25.3",
          "affected_versions": "All versions before 0.25.3",
          "cvss_v2": "AV:N/AC:L/Au:S/C:C/I:C/A:C",
          "cvss_v3": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
          "cwe_ids": [
            "CWE-1035",
            "CWE-434",
            "CWE-78",
            "CWE-937"
          ],
          "date": "2021-01-08",
          "description": "BookStack before version 0.25.5 has a vulnerability where a user could upload PHP files through image upload functions, which would allow them to execute code on the host system remotely. They would then have the permissions of the PHP process. This most impacts scenarios where non-trusted users are given permission to upload images in any area of the application. The issue was addressed in a series of patches in versions 0.25.3, 0.25.4 and 0.25.5. Users should upgrade to at least v0.25.5 to avoid this vulnerability.",
          "fixed_versions": [
            "0.25.5"
          ],
          "identifier": "CVE-2020-5256",
          "identifiers": [
            "GHSA-g9rq-x4fj-f5hx",
            "CVE-2020-5256"
          ],
          "not_impacted": "All versions starting from 0.25.3",
          "package_slug": "packagist/ssddanbrown/bookstack",
          "pubdate": "2020-03-13",
          "solution": "Upgrade to version 0.25.5 or above.",
          "title": "Unrestricted Upload of File with Dangerous Type",
          "urls": [
            "https://github.com/BookStackApp/BookStack/security/advisories/GHSA-g9rq-x4fj-f5hx",
            "https://nvd.nist.gov/vuln/detail/CVE-2020-5256",
            "https://github.com/BookStackApp/BookStack/releases/tag/v0.25.3",
            "https://github.com/BookStackApp/BookStack/releases/tag/v0.25.4",
            "https://github.com/BookStackApp/BookStack/releases/tag/v0.25.5",
            "https://github.com/advisories/GHSA-g9rq-x4fj-f5hx"
          ],
          "uuid": "d009c4c4-4f0c-4747-a226-54b92c8fde2e"
        }
      ]
    },
    "nvd.nist.gov": {
      "configurations": {
        "CVE_data_version": "4.0",
        "nodes": [
          {
            "children": [],
            "cpe_match": [
              {
                "cpe23Uri": "cpe:2.3:a:bookstackapp:bookstack:*:*:*:*:*:*:*:*",
                "cpe_name": [],
                "versionEndExcluding": "0.25.3",
                "vulnerable": true
              }
            ],
            "operator": "OR"
          }
        ]
      },
      "cve": {
        "CVE_data_meta": {
          "ASSIGNER": "security-advisories@github.com",
          "ID": "CVE-2020-5256"
        },
        "data_format": "MITRE",
        "data_type": "CVE",
        "data_version": "4.0",
        "description": {
          "description_data": [
            {
              "lang": "en",
              "value": "BookStack before version 0.25.5 has a vulnerability where a user could upload PHP files through image upload functions, which would allow them to execute code on the host system remotely. They would then have the permissions of the PHP process. This most impacts scenarios where non-trusted users are given permission to upload images in any area of the application. The issue was addressed in a series of patches in versions 0.25.3, 0.25.4 and 0.25.5. Users should upgrade to at least v0.25.5 to avoid this vulnerability."
            }
          ]
        },
        "problemtype": {
          "problemtype_data": [
            {
              "description": [
                {
                  "lang": "en",
                  "value": "CWE-434"
                }
              ]
            }
          ]
        },
        "references": {
          "reference_data": [
            {
              "name": "https://github.com/BookStackApp/BookStack/security/advisories/GHSA-g9rq-x4fj-f5hx",
              "refsource": "CONFIRM",
              "tags": [
                "Third Party Advisory"
              ],
              "url": "https://github.com/BookStackApp/BookStack/security/advisories/GHSA-g9rq-x4fj-f5hx"
            },
            {
              "name": "https://github.com/BookStackApp/BookStack/releases/tag/v0.25.3",
              "refsource": "MISC",
              "tags": [
                "Release Notes"
              ],
              "url": "https://github.com/BookStackApp/BookStack/releases/tag/v0.25.3"
            },
            {
              "name": "https://github.com/BookStackApp/BookStack/releases/tag/v0.25.5",
              "refsource": "MISC",
              "tags": [
                "Release Notes"
              ],
              "url": "https://github.com/BookStackApp/BookStack/releases/tag/v0.25.5"
            },
            {
              "name": "https://github.com/BookStackApp/BookStack/releases/tag/v0.25.4",
              "refsource": "MISC",
              "tags": [
                "Release Notes"
              ],
              "url": "https://github.com/BookStackApp/BookStack/releases/tag/v0.25.4"
            }
          ]
        }
      },
      "impact": {
        "baseMetricV2": {
          "acInsufInfo": false,
          "cvssV2": {
            "accessComplexity": "LOW",
            "accessVector": "NETWORK",
            "authentication": "SINGLE",
            "availabilityImpact": "COMPLETE",
            "baseScore": 9.0,
            "confidentialityImpact": "COMPLETE",
            "integrityImpact": "COMPLETE",
            "vectorString": "AV:N/AC:L/Au:S/C:C/I:C/A:C",
            "version": "2.0"
          },
          "exploitabilityScore": 8.0,
          "impactScore": 10.0,
          "obtainAllPrivilege": false,
          "obtainOtherPrivilege": false,
          "obtainUserPrivilege": false,
          "severity": "HIGH",
          "userInteractionRequired": false
        },
        "baseMetricV3": {
          "cvssV3": {
            "attackComplexity": "LOW",
            "attackVector": "NETWORK",
            "availabilityImpact": "HIGH",
            "baseScore": 8.8,
            "baseSeverity": "HIGH",
            "confidentialityImpact": "HIGH",
            "integrityImpact": "HIGH",
            "privilegesRequired": "LOW",
            "scope": "UNCHANGED",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
            "version": "3.1"
          },
          "exploitabilityScore": 2.8,
          "impactScore": 5.9
        }
      },
      "lastModifiedDate": "2020-03-10T13:34Z",
      "publishedDate": "2020-03-09T16:15Z"
    }
  }
}

CNVD-2020-16632

Vulnerability from cnvd - Published: 2020-03-10

Title

BookStack远程代码执行漏洞

Description

BookStack是一个用于存储和组织信息和文档的平台。 BookStack 0.25.5之前版本存在远程代码执行漏洞。该漏洞源于用户可通过图像上传功能上传PHP文件。攻击者可利用该漏洞在主机系统上远程执行代码，从而可获得PHP进程权限。

Severity

中

Patch Name

BookStack远程代码执行漏洞的补丁

Patch Description

BookStack是一个用于存储和组织信息和文档的平台。 BookStack 0.25.5之前版本存在远程代码执行漏洞。该漏洞源于用户可通过图像上传功能上传PHP文件。攻击者可利用该漏洞在主机系统上远程执行代码，从而可获得PHP进程权限。目前，供应商发布了安全公告及相关补丁信息，修复了此漏洞。

Formal description

厂商已发布了漏洞修复程序，请及时关注更新： https://github.com/BookStackApp/BookStack/security/advisories/GHSA-g9rq-x4fj-f5hx

Reference

https://nvd.nist.gov/vuln/detail/CVE-2020-5256

Impacted products

Name
BookStack BookStack <0.25.5

Show details on source website

JSON

To clipboard

{
  "cves": {
    "cve": {
      "cveNumber": "CVE-2020-5256"
    }
  },
  "description": "BookStack\u662f\u4e00\u4e2a\u7528\u4e8e\u5b58\u50a8\u548c\u7ec4\u7ec7\u4fe1\u606f\u548c\u6587\u6863\u7684\u5e73\u53f0\u3002\n\nBookStack 0.25.5\u4e4b\u524d\u7248\u672c\u5b58\u5728\u8fdc\u7a0b\u4ee3\u7801\u6267\u884c\u6f0f\u6d1e\u3002\u8be5\u6f0f\u6d1e\u6e90\u4e8e\u7528\u6237\u53ef\u901a\u8fc7\u56fe\u50cf\u4e0a\u4f20\u529f\u80fd\u4e0a\u4f20PHP\u6587\u4ef6\u3002\u653b\u51fb\u8005\u53ef\u5229\u7528\u8be5\u6f0f\u6d1e\u5728\u4e3b\u673a\u7cfb\u7edf\u4e0a\u8fdc\u7a0b\u6267\u884c\u4ee3\u7801\uff0c\u4ece\u800c\u53ef\u83b7\u5f97PHP\u8fdb\u7a0b\u6743\u9650\u3002",
  "formalWay": "\u5382\u5546\u5df2\u53d1\u5e03\u4e86\u6f0f\u6d1e\u4fee\u590d\u7a0b\u5e8f\uff0c\u8bf7\u53ca\u65f6\u5173\u6ce8\u66f4\u65b0\uff1a\r\nhttps://github.com/BookStackApp/BookStack/security/advisories/GHSA-g9rq-x4fj-f5hx",
  "isEvent": "\u901a\u7528\u8f6f\u786c\u4ef6\u6f0f\u6d1e",
  "number": "CNVD-2020-16632",
  "openTime": "2020-03-10",
  "patchDescription": "BookStack\u662f\u4e00\u4e2a\u7528\u4e8e\u5b58\u50a8\u548c\u7ec4\u7ec7\u4fe1\u606f\u548c\u6587\u6863\u7684\u5e73\u53f0\u3002\r\n\r\nBookStack 0.25.5\u4e4b\u524d\u7248\u672c\u5b58\u5728\u8fdc\u7a0b\u4ee3\u7801\u6267\u884c\u6f0f\u6d1e\u3002\u8be5\u6f0f\u6d1e\u6e90\u4e8e\u7528\u6237\u53ef\u901a\u8fc7\u56fe\u50cf\u4e0a\u4f20\u529f\u80fd\u4e0a\u4f20PHP\u6587\u4ef6\u3002\u653b\u51fb\u8005\u53ef\u5229\u7528\u8be5\u6f0f\u6d1e\u5728\u4e3b\u673a\u7cfb\u7edf\u4e0a\u8fdc\u7a0b\u6267\u884c\u4ee3\u7801\uff0c\u4ece\u800c\u53ef\u83b7\u5f97PHP\u8fdb\u7a0b\u6743\u9650\u3002\u76ee\u524d\uff0c\u4f9b\u5e94\u5546\u53d1\u5e03\u4e86\u5b89\u5168\u516c\u544a\u53ca\u76f8\u5173\u8865\u4e01\u4fe1\u606f\uff0c\u4fee\u590d\u4e86\u6b64\u6f0f\u6d1e\u3002",
  "patchName": "BookStack\u8fdc\u7a0b\u4ee3\u7801\u6267\u884c\u6f0f\u6d1e\u7684\u8865\u4e01",
  "products": {
    "product": "BookStack BookStack \u003c0.25.5"
  },
  "referenceLink": "https://nvd.nist.gov/vuln/detail/CVE-2020-5256",
  "serverity": "\u4e2d",
  "submitTime": "2020-03-10",
  "title": "BookStack\u8fdc\u7a0b\u4ee3\u7801\u6267\u884c\u6f0f\u6d1e"
}

FKIE_CVE-2020-5256

Vulnerability from fkie_nvd - Published: 2020-03-09 16:15 - Updated: 2024-11-21 05:33

Severity ?

7.9 (High) - CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:C/C:H/I:H/A:L
8.8 (High) - CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Summary

References

URL	Tags
security-advisories@github.com	https://github.com/BookStackApp/BookStack/releases/tag/v0.25.3	Release Notes
security-advisories@github.com	https://github.com/BookStackApp/BookStack/releases/tag/v0.25.4	Release Notes
security-advisories@github.com	https://github.com/BookStackApp/BookStack/releases/tag/v0.25.5	Release Notes
security-advisories@github.com	https://github.com/BookStackApp/BookStack/security/advisories/GHSA-g9rq-x4fj-f5hx	Third Party Advisory
af854a3a-2127-422b-91ae-364da2661108	https://github.com/BookStackApp/BookStack/releases/tag/v0.25.3	Release Notes
af854a3a-2127-422b-91ae-364da2661108	https://github.com/BookStackApp/BookStack/releases/tag/v0.25.4	Release Notes
af854a3a-2127-422b-91ae-364da2661108	https://github.com/BookStackApp/BookStack/releases/tag/v0.25.5	Release Notes
af854a3a-2127-422b-91ae-364da2661108	https://github.com/BookStackApp/BookStack/security/advisories/GHSA-g9rq-x4fj-f5hx	Third Party Advisory

Impacted products

	Vendor	Product	Version
	bookstackapp	bookstack	*

JSON

To clipboard

{
  "configurations": [
    {
      "nodes": [
        {
          "cpeMatch": [
            {
              "criteria": "cpe:2.3:a:bookstackapp:bookstack:*:*:*:*:*:*:*:*",
              "matchCriteriaId": "B8B4AD81-4EED-4873-A781-F389F361A132",
              "versionEndExcluding": "0.25.3",
              "vulnerable": true
            }
          ],
          "negate": false,
          "operator": "OR"
        }
      ]
    }
  ],
  "cveTags": [],
  "descriptions": [
    {
      "lang": "en",
      "value": "BookStack before version 0.25.5 has a vulnerability where a user could upload PHP files through image upload functions, which would allow them to execute code on the host system remotely. They would then have the permissions of the PHP process. This most impacts scenarios where non-trusted users are given permission to upload images in any area of the application. The issue was addressed in a series of patches in versions 0.25.3, 0.25.4 and 0.25.5. Users should upgrade to at least v0.25.5 to avoid this vulnerability."
    },
    {
      "lang": "es",
      "value": "BookStack versiones anteriores a 0.25.5, presenta una vulnerabilidad donde un usuario puede cargar archivos PHP por medio de funciones de carga de im\u00e1genes, lo que le permitir\u00eda ejecutar c\u00f3digo sobre el sistema host remotamente. Luego tendr\u00edan los permisos del proceso de PHP. Esto impacta m\u00e1s a los escenarios donde los usuarios no confiables tienen permiso para cargar im\u00e1genes en cualquier \u00e1rea de la aplicaci\u00f3n. El problema fue abordado en una serie de parches en las versiones 0.25.3, 0.25.4 y 0.25.5. Los usuarios deben actualizar al menos a la versi\u00f3n v0.25.5 para evitar esta vulnerabilidad."
    }
  ],
  "id": "CVE-2020-5256",
  "lastModified": "2024-11-21T05:33:46.677",
  "metrics": {
    "cvssMetricV2": [
      {
        "acInsufInfo": false,
        "baseSeverity": "HIGH",
        "cvssData": {
          "accessComplexity": "LOW",
          "accessVector": "NETWORK",
          "authentication": "SINGLE",
          "availabilityImpact": "COMPLETE",
          "baseScore": 9.0,
          "confidentialityImpact": "COMPLETE",
          "integrityImpact": "COMPLETE",
          "vectorString": "AV:N/AC:L/Au:S/C:C/I:C/A:C",
          "version": "2.0"
        },
        "exploitabilityScore": 8.0,
        "impactScore": 10.0,
        "obtainAllPrivilege": false,
        "obtainOtherPrivilege": false,
        "obtainUserPrivilege": false,
        "source": "nvd@nist.gov",
        "type": "Primary",
        "userInteractionRequired": false
      }
    ],
    "cvssMetricV31": [
      {
        "cvssData": {
          "attackComplexity": "HIGH",
          "attackVector": "NETWORK",
          "availabilityImpact": "LOW",
          "baseScore": 7.9,
          "baseSeverity": "HIGH",
          "confidentialityImpact": "HIGH",
          "integrityImpact": "HIGH",
          "privilegesRequired": "LOW",
          "scope": "CHANGED",
          "userInteraction": "REQUIRED",
          "vectorString": "CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:C/C:H/I:H/A:L",
          "version": "3.1"
        },
        "exploitabilityScore": 1.3,
        "impactScore": 6.0,
        "source": "security-advisories@github.com",
        "type": "Secondary"
      },
      {
        "cvssData": {
          "attackComplexity": "LOW",
          "attackVector": "NETWORK",
          "availabilityImpact": "HIGH",
          "baseScore": 8.8,
          "baseSeverity": "HIGH",
          "confidentialityImpact": "HIGH",
          "integrityImpact": "HIGH",
          "privilegesRequired": "LOW",
          "scope": "UNCHANGED",
          "userInteraction": "NONE",
          "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
          "version": "3.1"
        },
        "exploitabilityScore": 2.8,
        "impactScore": 5.9,
        "source": "nvd@nist.gov",
        "type": "Primary"
      }
    ]
  },
  "published": "2020-03-09T16:15:15.750",
  "references": [
    {
      "source": "security-advisories@github.com",
      "tags": [
        "Release Notes"
      ],
      "url": "https://github.com/BookStackApp/BookStack/releases/tag/v0.25.3"
    },
    {
      "source": "security-advisories@github.com",
      "tags": [
        "Release Notes"
      ],
      "url": "https://github.com/BookStackApp/BookStack/releases/tag/v0.25.4"
    },
    {
      "source": "security-advisories@github.com",
      "tags": [
        "Release Notes"
      ],
      "url": "https://github.com/BookStackApp/BookStack/releases/tag/v0.25.5"
    },
    {
      "source": "security-advisories@github.com",
      "tags": [
        "Third Party Advisory"
      ],
      "url": "https://github.com/BookStackApp/BookStack/security/advisories/GHSA-g9rq-x4fj-f5hx"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "tags": [
        "Release Notes"
      ],
      "url": "https://github.com/BookStackApp/BookStack/releases/tag/v0.25.3"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "tags": [
        "Release Notes"
      ],
      "url": "https://github.com/BookStackApp/BookStack/releases/tag/v0.25.4"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "tags": [
        "Release Notes"
      ],
      "url": "https://github.com/BookStackApp/BookStack/releases/tag/v0.25.5"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "tags": [
        "Third Party Advisory"
      ],
      "url": "https://github.com/BookStackApp/BookStack/security/advisories/GHSA-g9rq-x4fj-f5hx"
    }
  ],
  "sourceIdentifier": "security-advisories@github.com",
  "vulnStatus": "Modified",
  "weaknesses": [
    {
      "description": [
        {
          "lang": "en",
          "value": "CWE-95"
        }
      ],
      "source": "security-advisories@github.com",
      "type": "Secondary"
    },
    {
      "description": [
        {
          "lang": "en",
          "value": "CWE-434"
        }
      ],
      "source": "nvd@nist.gov",
      "type": "Primary"
    }
  ]
}

GHSA-G9RQ-X4FJ-F5HX

Vulnerability from github – Published: 2020-03-13 20:21 – Updated: 2021-01-08 21:18

Summary

Remote Code Execution Through Image Uploads in BookStack

Details

Impact

A user could upload PHP files through image upload functions, which would allow them to execute code on the host system remotely. They would then have the permissions of the PHP process.

This most impacts scenarios where non-trusted users are given permission to upload images in any area of the application.

Patches

The issue was addressed in a series of patches: v0.25.3, v0.25.4 and v0.25.5. Users should upgrade to at least v0.25.5 to avoid this patch but ideally the latest BookStack version as previous versions are un-supported.

Workarounds

Depending on BookStack version, you could use the local_secure image storage option, or use s3 or a similar compatible service.

Preventing direct execution of any php files, apart from the public/index.php file, though web-server configuration would also prevent this.

References

BookStack Beta v0.25.3 BookStack Beta v0.25.4 BookStack Beta v0.25.5

For more information

If you have any questions or comments about this advisory: * Open an issue in the BookStack GitHub repository. * Ask on the BookStack Discord chat. * Follow the BookStack Security advise to contact someone privately.

Severity ?

7.9 (High)


                  
                    CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:C/C:H/I:H/A:L

Show details on source website

JSON

To clipboard

{
  "affected": [
    {
      "database_specific": {
        "last_known_affected_version_range": "\u003c 0.25.3"
      },
      "package": {
        "ecosystem": "Packagist",
        "name": "ssddanbrown/bookstack"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "0.25.5"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2020-5256"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-95"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2020-03-13T20:20:25Z",
    "nvd_published_at": null,
    "severity": "HIGH"
  },
  "details": "### Impact\n\nA user could upload PHP files through image upload functions, which would allow them to execute code on the host system remotely. They would then have the permissions of the PHP process.\n\nThis most impacts scenarios where non-trusted users are given permission to upload images in any area of the application. \n\n### Patches\n\nThe issue was addressed in a series of patches: v0.25.3, v0.25.4 and v0.25.5.\nUsers should upgrade to at least v0.25.5 to avoid this patch but ideally the latest BookStack version as previous versions are un-supported.\n\n### Workarounds\n\nDepending on BookStack version, you could use the [local_secure](https://www.bookstackapp.com/docs/admin/upload-config/#local-secure) image storage option, or use s3 or a similar compatible service.\n\nPreventing direct execution of any `php` files, apart from the `public/index.php` file, though web-server configuration would also prevent this.\n\n### References\n\n[BookStack Beta v0.25.3](https://github.com/BookStackApp/BookStack/releases/tag/v0.25.3)\n[BookStack Beta v0.25.4](https://github.com/BookStackApp/BookStack/releases/tag/v0.25.4)\n[BookStack Beta v0.25.5](https://github.com/BookStackApp/BookStack/releases/tag/v0.25.5)\n\n### For more information\n\nIf you have any questions or comments about this advisory:\n* Open an issue in [the BookStack GitHub repository](BookStackApp/BookStack/issues).\n* Ask on the [BookStack Discord chat](https://discord.gg/ztkBqR2).\n* Follow the [BookStack Security advise](https://github.com/BookStackApp/BookStack#-security) to contact someone privately.",
  "id": "GHSA-g9rq-x4fj-f5hx",
  "modified": "2021-01-08T21:18:55Z",
  "published": "2020-03-13T20:21:27Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/BookStackApp/BookStack/security/advisories/GHSA-g9rq-x4fj-f5hx"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2020-5256"
    },
    {
      "type": "WEB",
      "url": "https://github.com/BookStackApp/BookStack/releases/tag/v0.25.3"
    },
    {
      "type": "WEB",
      "url": "https://github.com/BookStackApp/BookStack/releases/tag/v0.25.4"
    },
    {
      "type": "WEB",
      "url": "https://github.com/BookStackApp/BookStack/releases/tag/v0.25.5"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:C/C:H/I:H/A:L",
      "type": "CVSS_V3"
    }
  ],
  "summary": "Remote Code Execution Through Image Uploads in BookStack"
}

Sightings

Author	Source	Type	Date

Nomenclature

Seen: The vulnerability was mentioned, discussed, or observed by the user.
Confirmed: The vulnerability has been validated from an analyst's perspective.
Published Proof of Concept: A public proof of concept is available for this vulnerability.
Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
Not confirmed: The user expressed doubt about the validity of the vulnerability.
Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.

Detection rules are retrieved from Rulezet.

Action not permitted

CVE-2020-5256 (GCVE-0-2020-5256)

GSD-2020-5256

CNVD-2020-16632

FKIE_CVE-2020-5256

GHSA-G9RQ-X4FJ-F5HX

Impact

Patches

Workarounds

References

For more information

Tags

Sightings

Nomenclature