OroPlatform vulnerable to path traversal during temporary file manipulations

Impact

Path Traversal is possible in Oro\Bundle\GaufretteBundle\FileManager::getTemporaryFileName.
With this method, an attacker can pass the path to a non-existent file, which will allow writing the content to a new file that will be available during script execution. The file will be deleted immediately after the script ends.

Workarounds

Apply patch

--- a/vendor/oro/platform/src/Oro/Bundle/GaufretteBundle/FileManager.php
+++ b/vendor/oro/platform/src/Oro/Bundle/GaufretteBundle/FileManager.php
@@ -614,6 +614,10 @@
      */
     public function getTemporaryFileName(string $suggestedFileName = null): string
     {
+        if ($suggestedFileName) {
+            $suggestedFileName = basename($suggestedFileName);
+        }
+
         $tmpDir = ini_get('upload_tmp_dir');
         if (!$tmpDir || !is_dir($tmpDir) || !is_writable($tmpDir)) {
             $tmpDir = sys_get_temp_dir();

Or decorate Oro\Bundle\GaufretteBundle\FileManager::getTemporaryFileName in your customization and clear $suggestedFileName argument

    public function getTemporaryFileName(string $suggestedFileName = null): string
    {
        if ($suggestedFileName) {
            $suggestedFileName = basename($suggestedFileName);
        }

        return parent::getTemporaryFileName($suggestedFileName);
    }

References

dkhrysev published to oroinc/platform Nov 27, 2023

Published by the National Vulnerability Database Nov 27, 2023

Published to the GitHub Advisory Database Nov 27, 2023

Reviewed Nov 27, 2023

Last updated Nov 27, 2023

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Package

Affected versions

Patched versions

Description

Impact

Workarounds

References

References

Severity

CVSS overall score

CVSS v3 base metrics

CVSS v3 base metrics

EPSS score

Weaknesses

CVE ID

GHSA ID

Source code