CVE-2023-34448: 
PHP vulnerability analysis and mitigation

CVE-2023-34448 affects Grav, a flat-file content management system. Prior to version 1.7.42, the system contained a server-side template injection (SSTI) vulnerability that allowed for remote code execution. The vulnerability was a bypass of an earlier patch for CVE-2022-2073, where the fix for the default filter() function did not block other built-in functions exposed by Twig's Core Extension that could be used to invoke arbitrary unsafe functions (GitHub Advisory).

The vulnerability exists in the Twig template engine implementation within Grav CMS. The original patch for CVE-2022-2073 only protected against the filter() function, but left map() and reduce() filter functions exposed, which could still be used to execute arbitrary commands. The vulnerability has a CVSS v3.1 base score of 7.2 (High) with the vector string CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H (GitHub Advisory).

Successful exploitation of this vulnerability allows authenticated attackers with access to the Grav Admin panel and page creation/update permissions to achieve remote code execution. This could lead to complete system compromise, allowing attackers to execute arbitrary commands within the context of the web application (GitHub Advisory).

The vulnerability was patched in version 1.7.42 by overriding the built-in Twig map() and reduce() filter functions in system/src/Grav/Common/Twig/Extension/GravExtension.php to validate the argument passed to the filter in $arrow. Users should upgrade to this version or later to protect against this vulnerability (GitHub Advisory).