Cyber Resilience

CVE-2024-27921

HighPublic PoC

Published: 21 March 2024

Published
21 March 2024
Modified
02 January 2025
KEV Added
Patch
CVSS Score v3.1 8.8 CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
EPSS Score 0.0879 92.7th percentile
Risk Priority 23 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2024-27921 is a high-severity Path Traversal (CWE-22) vulnerability in Getgrav Grav. Its CVSS base score is 8.8 (High).

Operationally, ranked in the top 7.3% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.

Deeper analysis

Grav is an open-source flat-file content management system affected by a file upload path traversal vulnerability (CWE-22) in versions prior to 1.7.45. The flaw resides in the upload handling logic and permits creation or replacement of files bearing extensions such as .json, .zip, .css, or .gif, which can be leveraged to inject server-side code, corrupt backup archives, or enable CSS-based data exfiltration. The issue carries a CVSS 3.1 base score of 8.8.

An authenticated user with low privileges can exploit the vulnerability over the network without user interaction to overwrite arbitrary files on the server, thereby achieving remote code execution, integrity violations against backups, or sensitive data leakage. Because the attack requires only standard upload functionality, it can be performed by any account permitted to upload content.

Public advisories and patches direct administrators to upgrade immediately to version 1.7.45; the fix is documented in the Grav repository commit 5928411b86bab05afca2b33db4e7386a44858e99 and the corresponding GitHub Security Advisory GHSA-m7hx-hw6h-mqmc.

The associated EPSS score reached a peak of 0.1110 before receding to its current value of 0.0879, indicating modest post-disclosure interest that has since declined.

EU & UK References

Vulnerability details

Grav is an open-source, flat-file content management system. A file upload path traversal vulnerability has been identified in the application prior to version 1.7.45, enabling attackers to replace or create files with extensions like .json, .zip, .css, .gif, etc. This…

more

critical security flaw poses severe risks, that can allow attackers to inject arbitrary code on the server, undermine integrity of backup files by overwriting existing files or creating new ones, and exfiltrate sensitive data using CSS exfiltration techniques. Upgrading to patched version 1.7.45 can mitigate the issue.

CWE(s)

Related Threats

No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.

Affected Assets

getgrav
grav
≤ 1.7.45

Mitigating Controls

Likely Mitigating Controls AI

Per-CVE control mapping for this CVE has not run yet; the list below is derived from the weakness types (CWEs) cited in the NVD entry.

addresses: CWE-22

Validates pathnames and filenames to prevent traversal outside intended directories.

References