Vulnerabilities > CVE-2019-10867 - Deserialization of Untrusted Data vulnerability in Pimcore
Attack vector
NETWORK Attack complexity
LOW Privileges required
LOW Confidentiality impact
HIGH Integrity impact
HIGH Availability impact
HIGH Summary
An issue was discovered in Pimcore before 5.7.1. An attacker with classes permission can send a POST request to /admin/class/bulk-commit, which will make it possible to exploit the unserialize function when passing untrusted values in the data parameter to bundles/AdminBundle/Controller/Admin/DataObject/ClassController.php.
Vulnerable Configurations
Common Weakness Enumeration (CWE)
Exploit-Db
| file | exploits/php/remote/46783.rb |
| id | EDB-ID:46783 |
| last seen | 2019-04-30 |
| modified | 2019-04-30 |
| platform | php |
| port | |
| published | 2019-04-30 |
| reporter | Exploit-DB |
| source | https://www.exploit-db.com/download/46783 |
| title | Pimcore < 5.71 - Unserialize RCE (Metasploit) |
| type | remote |
Metasploit
| description | This module exploits a PHP unserialize() in Pimcore before 5.7.1 to execute arbitrary code. An authenticated user with "classes" permission could exploit the vulnerability. The vulnerability exists in the "ClassController.php" class, where the "bulk-commit" method makes it possible to exploit the unserialize function when passing untrusted values in "data" parameter. Tested on Pimcore 5.4.0-5.4.4, 5.5.1-5.5.4, 5.6.0-5.6.6 with the Symfony unserialize payload. Tested on Pimcore 4.0.0-4.6.5 with the Zend unserialize payload. |
| id | MSF:EXPLOIT/MULTI/HTTP/PIMCORE_UNSERIALIZE_RCE |
| last seen | 2020-06-14 |
| modified | 2019-04-29 |
| published | 2019-04-07 |
| references | |
| reporter | Rapid7 |
| source | https://github.com/rapid7/metasploit-framework/blob/master//modules/exploits/multi/http/pimcore_unserialize_rce.rb |
| title | Pimcore Unserialize RCE |
Packetstorm
| data source | https://packetstormsecurity.com/files/download/152667/pimcore_unserialize_rce.rb.txt |
| id | PACKETSTORM:152667 |
| last seen | 2019-05-01 |
| published | 2019-04-29 |
| reporter | Daniele Scanu |
| source | https://packetstormsecurity.com/files/152667/Pimcore-Unserialize-Remote-Code-Execution.html |
| title | Pimcore Unserialize Remote Code Execution |
References
- https://snyk.io/vuln/SNYK-PHP-PIMCOREPIMCORE-173998
- https://github.com/pimcore/pimcore/commit/38a29e2f4f5f060a73974626952501cee05fda73
- http://packetstormsecurity.com/files/152667/Pimcore-Unserialize-Remote-Code-Execution.html
- http://www.rapid7.com/db/modules/exploit/multi/http/pimcore_unserialize_rce
- https://www.exploit-db.com/exploits/46783/
- https://blog.certimetergroup.com/it/articolo/security/polyglot_phar_deserialization_to_rce