GHSA-mj6m-246h-9w56

Опубликовано: 01 мар. 2022

Источник: github

Github: Прошло ревью

Описание

Improper regex in htaccess file

Impact

the default .htaccess file has some restrictions in the access to PHP files to only allow specific PHP files to be executed in the root of the application.

This logic isn't correct, as the regex in the second FilesMatch only checks the filename, not the full path.

Patches

Please upgrade to 3.3.5 or 4.2.0

Workarounds

References

Release post: https://www.mautic.org/blog/community/mautic-4-2-one-small-step-mautic
Internally tracked under MST-32

For more information

If you have any questions or comments about this advisory:

Email us at security@mautic.org

Ссылки

https://github.com/mautic/mautic/security/advisories/GHSA-mj6m-246h-9w56

Пакеты

Наименование

mautic/core

composer

Затронутые версииВерсия исправления

< 3.3.5

3.3.5

Наименование

mautic/core

composer

Затронутые версииВерсия исправления

>= 4.0.0, < 4.2.0

4.2.0

EPSS

Процентиль: 31%

0.00119

Низкий

CVE ID

CVE-2022-25769

Связанные уязвимости

CVE-2022-25769

CVSS3: 7.2

nvd

больше 1 года назад

ImpactThe default .htaccess file has some restrictions in the access to PHP files to only allow specific PHP files to be executed in the root of the application. This logic isn't correct, as the regex in the second FilesMatch only checks the filename, not the full path.

EPSS

Процентиль: 31%

0.00119

Низкий

CVE ID

CVE-2022-25769