CVE-2022-41951
HIGH8.5EPSS 0.41%OroPlatform vulnerable to path traversal during temporary file manipulations
Description
### Impact Path Traversal is possible in `Oro\Bundle\GaufretteBundle\FileManager::getTemporaryFileName`. With this method, an attacker can pass the path to a non-existent file, which will allow writing the content to a new file that will be available during script execution. The file will be deleted immediately after the script ends. ### Workarounds Apply patch ```patch --- a/vendor/oro/platform/src/Oro/Bundle/GaufretteBundle/FileManager.php +++ b/vendor/oro/platform/src/Oro/Bundle/GaufretteBundle/FileManager.php @@ -614,6 +614,10 @@ */ public function getTemporaryFileName(string $suggestedFileName = null): string { + if ($suggestedFileName) { + $suggestedFileName = basename($suggestedFileName); + } + $tmpDir = ini_get('upload_tmp_dir'); if (!$tmpDir || !is_dir($tmpDir) || !is_writable($tmpDir)) { $tmpDir = sys_get_temp_dir(); ``` Or decorate `Oro\Bundle\GaufretteBundle\FileManager::getTemporaryFileName` in your customization and clear `$suggestedFileName` argument ```php public function getTemporaryFileName(string $suggestedFileName = null): string { if ($suggestedFileName) { $suggestedFileName = basename($suggestedFileName); } return parent::getTemporaryFileName($suggestedFileName); } ``` ### References - [Path Traversal](https://owasp.org/www-community/attacks/Path_Traversal) - [How to Decorate Services](https://symfony.com/doc/5.4/service_container/service_decoration.html)
Affected packages (1)
- Packagist/oro/platform>= 4.1.0, <= 4.1.13
CVSS scores
| Source | Version | Severity | Vector |
|---|---|---|---|
| osv | CVSS 3.1 | HIGH8.5 | CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:H |