Deserialization of Untrusted Data Affecting getgrav/grav package, versions <2.0.0-beta.2

getgrav/grav is a Modern, Crazy Fast, Ridiculously Easy and Amazingly Powerful Flat-File CMS.

Affected versions of this package are vulnerable to Deserialization of Untrusted Data via unsafe handling of serialized data and improper input validation in multiple components, including JobQueue, FileCache, Session, and the InstallCommand process. An attacker can achieve arbitrary code execution or escalate privileges by supplying crafted serialized objects or injecting malicious input into shell commands. This is only exploitable if an attacker can write to the cache directory or inject data into the affected processes.

Serialization is a process of converting an object into a sequence of bytes which can be persisted to a disk or database or can be sent through streams. The reverse process of creating object from sequence of bytes is called deserialization. Serialization is commonly used for communication (sharing objects between multiple hosts) and persistence (store the object state in a file or a database). It is an integral part of popular protocols like Remote Method Invocation (RMI), Java Management Extension (JMX), Java Messaging System (JMS), Action Message Format (AMF), Java Server Faces (JSF) ViewState, etc.

Deserialization of untrusted data (CWE-502) is when the application deserializes untrusted data without sufficiently verifying that the resulting data will be valid, thus allowing the attacker to control the state or the flow of the execution.

• GitHub Advisory
• GitHub Commit