Vulnerabilities > CVE-2019-10867 - Deserialization of Untrusted Data vulnerability in Pimcore
Attack vector
NETWORK Attack complexity
LOW Privileges required
SINGLE Confidentiality impact
PARTIAL Integrity impact
PARTIAL Availability impact
PARTIAL Summary
An issue was discovered in Pimcore before 5.7.1. An attacker with classes permission can send a POST request to /admin/class/bulk-commit, which will make it possible to exploit the unserialize function when passing untrusted values in the data parameter to bundles/AdminBundle/Controller/Admin/DataObject/ClassController.php.
Vulnerable Configurations
Common Weakness Enumeration (CWE)
Exploit-Db
| file | exploits/php/remote/46783.rb |
| id | EDB-ID:46783 |
| last seen | 2019-04-30 |
| modified | 2019-04-30 |
| platform | php |
| port | |
| published | 2019-04-30 |
| reporter | Exploit-DB |
| source | https://www.exploit-db.com/download/46783 |
| title | Pimcore < 5.71 - Unserialize RCE (Metasploit) |
| type | remote |
Metasploit
| description | This module exploits a PHP unserialize() in Pimcore before 5.7.1 to execute arbitrary code. An authenticated user with "classes" permission could exploit the vulnerability. The vulnerability exists in the "ClassController.php" class, where the "bulk-commit" method makes it possible to exploit the unserialize function when passing untrusted values in "data" parameter. Tested on Pimcore 5.4.0-5.4.4, 5.5.1-5.5.4, 5.6.0-5.6.6 with the Symfony unserialize payload. Tested on Pimcore 4.0.0-4.6.5 with the Zend unserialize payload. |
| id | MSF:EXPLOIT/MULTI/HTTP/PIMCORE_UNSERIALIZE_RCE |
| last seen | 2020-06-14 |
| modified | 2019-04-29 |
| published | 2019-04-07 |
| references | |
| reporter | Rapid7 |
| source | https://github.com/rapid7/metasploit-framework/blob/master//modules/exploits/multi/http/pimcore_unserialize_rce.rb |
| title | Pimcore Unserialize RCE |
Packetstorm
| data source | https://packetstormsecurity.com/files/download/152667/pimcore_unserialize_rce.rb.txt |
| id | PACKETSTORM:152667 |
| last seen | 2019-05-01 |
| published | 2019-04-29 |
| reporter | Daniele Scanu |
| source | https://packetstormsecurity.com/files/152667/Pimcore-Unserialize-Remote-Code-Execution.html |
| title | Pimcore Unserialize Remote Code Execution |
References
- http://packetstormsecurity.com/files/152667/Pimcore-Unserialize-Remote-Code-Execution.html
- http://www.rapid7.com/db/modules/exploit/multi/http/pimcore_unserialize_rce
- https://blog.certimetergroup.com/it/articolo/security/polyglot_phar_deserialization_to_rce
- https://github.com/pimcore/pimcore/commit/38a29e2f4f5f060a73974626952501cee05fda73
- https://snyk.io/vuln/SNYK-PHP-PIMCOREPIMCORE-173998
- https://www.exploit-db.com/exploits/46783/