CVE-2023-38708

2023-08-0401:15:09

CWE-22

[email protected]

web.nvd.nist.gov

pimcore

assetcontroller

path traversal

vulnerability

file overwrite

denial of service

nvd

8.8 High

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

LOW

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

8.4 High

AI Score

Confidence

High

0.001 Low

EPSS

Percentile

38.3%

JSON

Pimcore is an Open Source Data & Experience Management Platform: PIM, MDM, CDP, DAM, DXP/CMS & Digital Commerce. A path traversal vulnerability exists in the AssetController::importServerFilesAction, which allows an attacker to overwrite or modify sensitive files by manipulating the pimcore_log parameter.This can lead to potential denial of service—key file overwrite.
The impact of this vulnerability allows attackers to: overwrite or modify sensitive files, potentially leading to unauthorized access, privilege escalation, or disclosure of confidential information. This could also cause a denial of service (DoS) if critical system files are overwritten or deleted.

Affected configurations

Vulners

NVD

Node

pimcorepimcoreRange<10.6.7

VendorProductVersionCPE
pimcorepimcore*cpe:2.3:a:pimcore:pimcore:*:*:*:*:*:*:*:*

Vendor	Product	Version	CPE
pimcore	pimcore	*	cpe:2.3:a:pimcore:pimcore::::::::

CNA Affected

[
  {
    "vendor": "pimcore",
    "product": "pimcore",
    "versions": [
      {
        "version": "< 10.6.7",
        "status": "affected"
      }
    ]
  }
]