Cyber Resilience

CVE-2023-35169

CriticalPublic PoC

Published: 23 June 2023

Published
23 June 2023
Modified
21 November 2024
KEV Added
Patch
CVSS Score v3.1 9.0 CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:H
EPSS Score 0.0972 93.1th percentile
Risk Priority 24 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2023-35169 is a critical-severity Path Traversal (CWE-22) vulnerability in Webklex Php-Imap. Its CVSS base score is 9.0 (Critical).

Operationally, ranked in the top 6.9% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.

Deeper analysis

PHP-IMAP, a library providing IMAP access without the native php-imap extension, is affected by CVE-2023-35169 in versions prior to 5.3.0. The root cause is the Attachment::save() method in webklex/php-imap (and the related laravel-imap package), which accepts an unsanitized filename parameter and falls back to raw values from email headers when none is supplied. This permits path traversal (CWE-22) that can place attacker-controlled files in arbitrary writable directories, yielding remote code execution.

An unauthenticated attacker can deliver the exploit simply by sending an email containing a malicious attachment to an inbox monitored by the vulnerable library. When the application later invokes Attachment::save() without a sanitized filename, the library writes or overwrites files using the attacker-supplied name and content, including PHP scripts or other executable payloads. No file-extension or content restrictions are enforced, and the attack succeeds against any deployment that stores attachments from untrusted mail without explicit sanitization.

The project’s security advisory GHSA-47p7-xfcc-4pv9 and the 5.3.0 release notes recommend immediate upgrade to version 5.3.0, which adds filename sanitization and removes the unsafe fallback logic. The EPSS score has remained flat at 0.0972 with no material increase after disclosure.

EU & UK References

Vulnerability details

PHP-IMAP is a wrapper for common IMAP communication without the need to have the php-imap module installed / enabled. Prior to version 5.3.0, an unsanitized attachment filename allows any unauthenticated user to leverage a directory traversal vulnerability, which results in…

more

a remote code execution vulnerability. Every application that stores attachments with `Attachment::save()` without providing a `$filename` or passing unsanitized user input is affected by this attack. An attacker can send an email with a malicious attachment to the inbox, which gets crawled with `webklex/php-imap` or `webklex/laravel-imap`. Prerequisite for the vulnerability is that the script stores the attachments without providing a `$filename`, or providing an unsanitized `$filename`, in `src/Attachment::save(string $path, string $filename = null)`. In this case, where no `$filename` gets passed into the `Attachment::save()` method, the package would use a series of unsanitized and insecure input values from the mail as fallback. Even if a developer passes a `$filename` into the `Attachment::save()` method, e.g. by passing the name or filename of the mail attachment itself (from email headers), the input values never get sanitized by the package. There is also no restriction about the file extension (e.g. ".php") or the contents of a file. This allows an attacker to upload malicious code of any type and content at any location where the underlying user has write permissions. The attacker can also overwrite existing files and inject malicious code into files that, e.g. get executed by the system via cron or requests. Version 5.3.0 contains a patch for this issue.

CWE(s)

Related Threats

No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.

Affected Assets

webklex
php-imap
≤ 5.3.0

Mitigating Controls

Likely Mitigating Controls AI

Per-CVE control mapping for this CVE has not run yet; the list below is derived from the weakness types (CWEs) cited in the NVD entry.

addresses: CWE-22

Validates pathnames and filenames to prevent traversal outside intended directories.

References