Pimcore Static Routes Authorization Vulnerability

A vulnerability exists in Pimcore's API endpoint for managing static routes, affecting versions prior to 12.3.1 and 11.5.14. The issue arises from inadequate server-side authorization checks, allowing authenticated users without the necessary permissions to access sensitive route configurations. Static routes, which are custom URL patterns integrated into the MVC routing system, can be defined through the backend interface or a specific configuration file. The lack of proper authorization could lead to unauthorized access to internal routing metadata, potentially exposing application architecture and custom logic intended for administrative roles.

Impact

This vulnerability allows low-privileged users to enumerate static routes, gaining insight into URL patterns, associated controllers, and parameter handling. Such information could be exploited for targeted attacks, like path traversal or injection via exposed variables. In multi-tenant Pimcore environments, this could lead to unauthorized data access or manipulation of workflows, with potential escalation to broader system compromise. Additionally, it risks leaking intellectual property related to custom routing logic and could result in regulatory non-compliance, such as GDPR violations for exposed configurations.

Reproduction

To reproduce this vulnerability, log in as an authenticated backend user without explicit permissions for managing static routes. Access the 'Static Routes' API endpoint to retrieve sensitive route configurations. This can be done by copying the necessary authentication tokens from the response of a permitted user and using them to access the endpoint as a low-privileged user.

Remediation

Users can upgrade to Pimcore versions 12.3.1 or 11.5.14, where this vulnerability has been patched.