Grav Privilege Escalation Vulnerability via Blueprint Upload

A vulnerability in Grav version 2.0.0-beta.2 allows low-privileged authenticated API users with media write permissions to create super-admin accounts. This is achieved by uploading a malicious YAML file through the blueprint-upload API, which is then processed without proper validation. The uploaded file can include administrative credentials, granting full control over the Grav API.

Impact

Exploitation of this vulnerability leads to unauthorized privilege escalation, allowing a low-privileged user to gain super-admin rights and full control over the CMS management API. This includes the ability to modify content, alter configurations, manage users, install or update plugins and themes, and access system-level administration features. Such access could result in a complete compromise of the CMS, with potential for server-side code execution depending on the environment.

Reproduction

To reproduce this vulnerability, authenticate as a low-privileged API user with media write rights. Once authenticated, upload a YAML file through the blueprint-upload API, specifying the destination and scope to target the user accounts directory. The uploaded file should contain the necessary information to create a new account with super-admin privileges. After the upload, log in with the newly created account to gain elevated privileges.

Remediation

Users can update to Grav API version 1.0.0-beta.17, where this vulnerability has been fixed.