{"description":"Trending threats, MITRE ATT\u0026CK coverage, and detection metadata — refreshed continuously.","feed_url":"https://feed.craftedsignal.io/products/grav--2.0.0-beta.2/","home_page_url":"https://feed.craftedsignal.io/","items":[{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":["grav (\u003c 2.0.0-beta.2)"],"_cs_severities":["high"],"_cs_tags":["insecure-deserialization","code-execution","grav","web-application"],"_cs_type":"advisory","_cs_vendors":["getgrav"],"content_html":"\u003cp\u003eGrav, a flat-file CMS, versions 1.7.44 through 1.7.49.5 are susceptible to an insecure deserialization vulnerability within the \u003ccode\u003eFileCache\u003c/code\u003e component. Specifically, the \u003ccode\u003eunserialize()\u003c/code\u003e function in \u003ccode\u003esystem/src/Grav/Framework/Cache/Adapter/FileCache.php\u003c/code\u003e utilizes the \u003ccode\u003eallowed_classes =\u0026gt; true\u003c/code\u003e option, which permits the instantiation of arbitrary classes without any restrictions. This vulnerability can be exploited if an attacker gains the ability to tamper with or poison the cache files used by Grav. By injecting malicious serialized objects into these cache files, an attacker can trigger the execution of arbitrary code when the application attempts to deserialize the tampered cache data. This issue was reported on May 5th, 2026. A fix has been implemented in Grav core on the 2.0 branch (commit \u003ccode\u003ec66dfeb5f\u003c/code\u003e), set to be included in version 2.0.0-beta.2. This fix introduces HMAC signing and verification to ensure the integrity of cache payloads.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eThe attacker gains access to the Grav server\u0026rsquo;s filesystem with write privileges to the cache directory.\u003c/li\u003e\n\u003cli\u003eThe attacker crafts a malicious PHP object that, when unserialized, will execute arbitrary code. This payload could leverage existing classes or magic methods like \u003ccode\u003e__wakeup()\u003c/code\u003e to achieve code execution.\u003c/li\u003e\n\u003cli\u003eThe attacker serializes the malicious PHP object using the \u003ccode\u003eserialize()\u003c/code\u003e function.\u003c/li\u003e\n\u003cli\u003eThe attacker overwrites an existing cache file or creates a new one containing the serialized payload in the Grav cache directory (location varies based on configuration, but default is often in \u003ccode\u003ecache/\u003c/code\u003e).\u003c/li\u003e\n\u003cli\u003eThe Grav application attempts to read the tampered cache file using the \u003ccode\u003eFileCache::doGet()\u003c/code\u003e function.\u003c/li\u003e\n\u003cli\u003eThe \u003ccode\u003eunserialize($value, ['allowed_classes' =\u0026gt; true])\u003c/code\u003e function is called on the tampered cache data.\u003c/li\u003e\n\u003cli\u003eThe malicious PHP object is deserialized, triggering the execution of the attacker\u0026rsquo;s code.\u003c/li\u003e\n\u003cli\u003eThe attacker achieves arbitrary code execution on the Grav server, potentially leading to full system compromise, data exfiltration, or further malicious activities.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of this vulnerability allows attackers to execute arbitrary code on the Grav server. This can lead to complete system compromise, data exfiltration, defacement of websites, or the installation of backdoors for persistent access. Given that Grav is a CMS, this can impact any website or application built on the platform. The number of potential victims is dependent on the number of Grav installations running the vulnerable versions (1.7.44 - 1.7.49.5) and the attacker\u0026rsquo;s ability to access and modify the cache files.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eUpgrade to Grav version 2.0.0-beta.2 or later, where the vulnerability is addressed with HMAC signing of cache payloads, as detailed in commit \u003ccode\u003ec66dfeb5f\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003eMonitor file system access, particularly writes to the cache directory, for suspicious activity. Consider deploying file integrity monitoring tools to detect unauthorized modifications to cache files.\u003c/li\u003e\n\u003cli\u003eIf upgrading is not immediately feasible, implement strict access controls to the cache directory to prevent unauthorized write access.\u003c/li\u003e\n\u003cli\u003eReview and audit any plugins or custom code that utilize the \u003ccode\u003eGrav\\Framework\\Cache\\Adapter\\FileCache\u003c/code\u003e class, ensuring they are not susceptible to cache poisoning attacks.\u003c/li\u003e\n\u003cli\u003eImplement the provided PoC locally to validate your exposure and test the effectiveness of mitigations.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-01-30T12:00:00Z","date_published":"2024-01-30T12:00:00Z","id":"/briefs/2024-01-30-grav-filecache-deserialization/","summary":"Grav versions 1.7.44 through 1.7.49.5 are vulnerable to insecure deserialization in the File Cache component, where the `unserialize` function with `allowed_classes =\u003e true` can lead to arbitrary code execution if an attacker tampers with cache files.","title":"Grav File Cache Insecure Deserialization Vulnerability","url":"https://feed.craftedsignal.io/briefs/2024-01-30-grav-filecache-deserialization/"}],"language":"en","title":"CraftedSignal Threat Feed — Grav (\u003c 2.0.0-Beta.2)","version":"https://jsonfeed.org/version/1.1"}