CVE-2022-27139
Published: 12 April 2022
Summary
CVE-2022-27139 is a critical-severity Unrestricted Upload of File with Dangerous Type (CWE-434) vulnerability in Ghost Ghost. Its CVSS base score is 9.8 (Critical).
Operationally, ranked in the top 9.1% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
Deeper analysis
An arbitrary file upload vulnerability exists in the file upload module of Ghost v4.39.0 and is tracked as CVE-2022-27139. The issue is categorized under CWE-434 and carries a CVSS 3.1 score of 9.8. It stems from insufficient validation that permits a crafted SVG file to be uploaded, which the initial disclosure claimed could lead to arbitrary code execution.
An unauthenticated remote attacker could exploit the flaw over the network to achieve code execution. The vendor, however, states that SVG uploads are restricted to trusted authenticated users per Ghost's security model, that SVGs are not executed on the server, and that any JavaScript execution occurs only in the client's browser as intended behavior.
Ghost security documentation on privilege-escalation attacks addresses the upload controls and clarifies that the described scenario does not constitute a server-side remote code execution risk.
EPSS for the CVE remains at 0.0606 with no material increase from its recorded peak.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2022-1727
Vulnerability details
An arbitrary file upload vulnerability in the file upload module of Ghost v4.39.0 allows attackers to execute arbitrary code via a crafted SVG file. NOTE: Vendor states that as outlined in Ghost's security documentation, upload of SVGs is only possible…
more
by trusted authenticated users. The uploading of SVG files to Ghost does not represent a remote code execution vulnerability. SVGs are not executable on the server, and may only execute javascript in a client's browser - this is expected and intentional functionality
- CWE(s)
Related Threats
No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.
Affected Assets
Mitigating Controls
Likely Mitigating Controls AI
Per-CVE control mapping for this CVE has not run yet; the list below is derived from the weakness types (CWEs) cited in the NVD entry.
Requiring identifiable owners for portable devices reduces the attack surface for unrestricted uploads of dangerous file types via anonymous media.
Dangerous file uploads can be detonated in the chamber to determine malice before any production write or execution occurs.
Prevents unrestricted writing of arbitrary or malicious firmware by keeping hardware write-protect enabled except under tightly controlled manual procedures.
Scans files from external sources on download/open/execute, blocking unrestricted uploads of dangerous file types.