CVE-2024-41109: Pimcore vulnerable to disclosure of system and database information behind /admin firewall
Navigating to /admin/index/statistics with a logged in Pimcore user (not an XmlHttpRequest because of this check: IndexController:125) exposes information about the Pimcore installation, PHP version, MYSQL version, installed bundles and all database tables and their row count in the system.
The web server should not return any product and version information of the components used. The table names and row counts should not be exposed.
References
- github.com/advisories/GHSA-fx6j-9pp6-ph36
- github.com/pimcore/admin-ui-classic-bundle
- github.com/pimcore/admin-ui-classic-bundle/blob/1.x/src/Controller/Admin/IndexController.php
- github.com/pimcore/admin-ui-classic-bundle/commit/afa10bff2f8bfe9c8af7b6b75885bc403f6984f0
- github.com/pimcore/admin-ui-classic-bundle/releases/tag/v1.5.2
- github.com/pimcore/admin-ui-classic-bundle/security/advisories/GHSA-fx6j-9pp6-ph36
- nvd.nist.gov/vuln/detail/CVE-2024-41109
Detect and mitigate CVE-2024-41109 with GitLab Dependency Scanning
Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →