Plattform
php
Komponente
spatie/browsershot
Behoben in
5.0.2
5.0.2
CVE-2024-21547 is a Directory Traversal vulnerability discovered in the spatie/browsershot PHP package. This flaw allows attackers to potentially read arbitrary files on the server by exploiting improper URI normalization. Versions of the package prior to 5.0.2 are affected. A fix has been released in version 5.0.2.
The core of the vulnerability lies in how spatie/browsershot handles file URIs. Specifically, the URI normalization process fails to adequately prevent attackers from bypassing the intended file:// check. By crafting a malicious URI containing escaped backslashes (\\), an attacker can trick the application into interpreting the path as pointing to a different location on the server. This allows for the retrieval of sensitive files, including configuration files, source code, or even system files, depending on the server's permissions and configuration. The potential impact extends beyond simple information disclosure; an attacker could potentially leverage this access to further compromise the system, such as by injecting malicious code or gaining remote code execution if the retrieved files contain executable scripts.
CVE-2024-21547 was publicly disclosed on December 18, 2024. There is currently no indication of active exploitation in the wild, and it is not listed on the CISA KEV catalog. Public proof-of-concept code is likely to emerge given the ease of exploitation and the widespread use of the spatie/browsershot package. The vulnerability's simplicity increases the probability of exploitation.
Applications using the spatie/browsershot package in their PHP projects are at risk. This includes websites and web applications that rely on browsershot for generating screenshots or PDFs from web pages. Shared hosting environments where the spatie/browsershot package is installed globally are particularly vulnerable.
• php / composer:
composer show spatie/browsershotIf the version is <=5.0.1, the system is vulnerable. • generic web:
curl -I 'http://your-website.com/browsershot?url=file:\\\/etc/passwd' # Check for 200 OK and file content in response• generic web:
Check access logs for requests containing file:\\\
disclosure
Exploit-Status
EPSS
0.05% (16% Perzentil)
CISA SSVC
CVSS-Vektor
The primary mitigation for CVE-2024-21547 is to immediately upgrade to spatie/browsershot version 5.0.2 or later. If upgrading is not immediately feasible due to compatibility issues or breaking changes, consider implementing a temporary workaround by strictly validating and sanitizing all file URIs provided to the browsershot function. This could involve whitelisting allowed file extensions or implementing more robust URI parsing to prevent the bypass of the file:// check. Additionally, review server permissions to ensure that the web server user has the minimum necessary access to files and directories. After upgrading, confirm the fix by attempting to access a sensitive file via a crafted URI (e.g., file:\\\\etc\\passwd) and verifying that access is denied.
Actualice la biblioteca spatie/browsershot a la versión 5.0.2 o superior. Esto solucionará la vulnerabilidad de path traversal. Ejecute `composer update spatie/browsershot` para actualizar a la versión segura.
Schwachstellenanalysen und kritische Warnungen direkt in deinen Posteingang.
CVE-2024-21547 is a Directory Traversal vulnerability affecting versions of spatie/browsershot before 5.0.2, allowing attackers to read arbitrary files on the server.
You are affected if you are using spatie/browsershot version 5.0.1 or earlier. Check your composer.json file to determine your version.
Upgrade to version 5.0.2 or later of the spatie/browsershot package using composer require spatie/browsershot:^5.0.2.
As of December 2024, there are no confirmed reports of active exploitation, but it is crucial to apply the fix promptly.
Refer to the spatie/browsershot GitHub repository for updates and advisories: https://github.com/spatie/browsershot
Lade deine Abhängigkeitsdatei hoch und erfahre sofort, ob dich diese und andere CVEs treffen.