Cyber Resilience

CVE-2023-40028

Medium

Published: 15 August 2023

Published
15 August 2023
Modified
21 November 2024
KEV Added
Patch
CVSS Score v3.1 4.9 CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:N
EPSS Score 0.7761 99.0th percentile
Risk Priority 56 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2023-40028 is a medium-severity Path Traversal (CWE-22) vulnerability in Ghost Ghost. Its CVSS base score is 4.9 (Medium).

Operationally, ranked in the top 1.0% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.

Deeper analysis

Ghost is an open source content management system affected by CVE-2023-40028 in all versions prior to 5.59.1. The flaw permits authenticated users to upload files that are symbolic links, which the application then follows during file operations. This stems from insufficient validation of uploaded content against symlink or path traversal risks (CWE-22 and CWE-59), enabling reads outside the intended content directory on the underlying host operating system. The issue carries a CVSS 4.9 score reflecting network attack vector, low complexity, and high-privilege requirements.

An authenticated attacker with the ability to upload files can place a symlink inside Ghost's content/ directory and subsequently retrieve the contents of any readable file on the host filesystem. Exploitation therefore yields arbitrary file disclosure but does not directly permit modification or service disruption. Because the vector requires authenticated access, the primary threat actors are users already holding accounts with upload privileges, such as editors or administrators.

The official Ghost security advisory GHSA-9c9v-w225-v5rg and the accompanying patch commit 690fbf3f7302ff3f77159c0795928bdd20f41205 state that version 5.59.1 contains the fix. Administrators are advised to upgrade immediately; the advisory also recommends inspecting the content/ folder for unrecognized symlinks as an indicator of prior exploitation. No workarounds are documented.

The EPSS score has reached a peak of 0.7970 with a current value of 0.7761, indicating sustained exploitation interest following disclosure.

EU & UK References

Vulnerability details

Ghost is an open source content management system. Versions prior to 5.59.1 are subject to a vulnerability which allows authenticated users to upload files that are symlinks. This can be exploited to perform an arbitrary file read of any file…

more

on the host operating system. Site administrators can check for exploitation of this issue by looking for unknown symlinks within Ghost's `content/` folder. Version 5.59.1 contains a fix for this issue. All users are advised to upgrade. There are no known workarounds for this vulnerability.

CWE(s)

Related Threats

No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.

Affected Assets

ghost
ghost
≤ 5.59.1

Mitigating Controls

Likely Mitigating Controls AI

Per-CVE control mapping for this CVE has not run yet; the list below is derived from the weakness types (CWEs) cited in the NVD entry.

addresses: CWE-22

Validates pathnames and filenames to prevent traversal outside intended directories.

References