Django REST framework

Lookup for vulnerabilities affecting packages.

Vulnerability_id VCID-3hta-35zx-zuc4

Summary

TYPO3 Install Tool vulnerable to Code Execution
### Problem
Several settings in the Install Tool for configuring the path to system binaries were vulnerable to code execution. Exploiting this vulnerability requires an administrator-level backend user account with system maintainer permissions.

The corresponding change for this advisory involves enforcing the known disadvantages described in [TYPO3-PSA-2020-002: Protecting Install Tool with Sudo Mode](https://typo3.org/security/advisory/typo3-psa-2020-002).

### Solution
Update to TYPO3 versions 8.7.57 ELTS, 9.5.46 ELTS, 10.4.43 ELTS, 11.5.35 LTS, 12.4.11 LTS, 13.0.1 that fix the problem described.

### Credits
Thanks to Rickmer Frier & Daniel Jonka who reported this issue and to TYPO3 core & security team member Benjamin Franzke who fixed the issue.

### References
* [TYPO3-CORE-SA-2024-002](https://typo3.org/security/advisory/typo3-core-sa-2024-002)

Aliases

alias	CVE-2024-22188

alias	GHSA-5w2h-59j3-8x5w

Fixed_packages

url	pkg:composer/typo3/cms-core@8.7.57
purl	pkg:composer/typo3/cms-core@8.7.57
is_vulnerable	`false`
affected_by_vulnerabilities
resource_url	http://public2.vulnerablecode.io/packages/pkg:composer/typo3/cms-core@8.7.57

url	pkg:composer/typo3/cms-core@9.5.46
purl	pkg:composer/typo3/cms-core@9.5.46
is_vulnerable	`false`
affected_by_vulnerabilities
resource_url	http://public2.vulnerablecode.io/packages/pkg:composer/typo3/cms-core@9.5.46

url	pkg:composer/typo3/cms-core@10.4.43
purl	pkg:composer/typo3/cms-core@10.4.43
is_vulnerable	`false`
affected_by_vulnerabilities
resource_url	http://public2.vulnerablecode.io/packages/pkg:composer/typo3/cms-core@10.4.43

url	pkg:composer/typo3/cms-core@11.5.35
purl	pkg:composer/typo3/cms-core@11.5.35
is_vulnerable	`false`
affected_by_vulnerabilities
resource_url	http://public2.vulnerablecode.io/packages/pkg:composer/typo3/cms-core@11.5.35

url	pkg:composer/typo3/cms-core@12.4.11
purl	pkg:composer/typo3/cms-core@12.4.11
is_vulnerable	`false`
affected_by_vulnerabilities
resource_url	http://public2.vulnerablecode.io/packages/pkg:composer/typo3/cms-core@12.4.11

url	pkg:composer/typo3/cms-core@13.0.1
purl	pkg:composer/typo3/cms-core@13.0.1
is_vulnerable	`false`
affected_by_vulnerabilities
resource_url	http://public2.vulnerablecode.io/packages/pkg:composer/typo3/cms-core@13.0.1

Affected_packages

url pkg:composer/typo3/cms-core@8.0.0

purl pkg:composer/typo3/cms-core@8.0.0

is_vulnerable true

affected_by_vulnerabilities

vulnerability	VCID-1knh-es99-dubw

vulnerability	VCID-1prg-c74k-37ec

vulnerability	VCID-2m67-xdxz-ryc2

vulnerability	VCID-2rhr-8vaz-hqfj

vulnerability	VCID-3hta-35zx-zuc4

vulnerability	VCID-6ffw-r4k7-5qf8

vulnerability	VCID-6q7t-kdrg-8qc3

vulnerability	VCID-6rgp-dzw1-kycx

vulnerability	VCID-7ch1-q9f4-a7bt

vulnerability	VCID-7r4g-gxc6-hubh

vulnerability	VCID-82ds-xda8-5ye4

vulnerability	VCID-8sek-v483-8ueu

vulnerability	VCID-b92x-56ng-3ygy

vulnerability	VCID-bzqv-s7g3-wff9

vulnerability	VCID-cg7w-xkyg-abgj

vulnerability	VCID-cv9x-ea8e-pufu

vulnerability	VCID-daz8-j1ns-rkgt

vulnerability	VCID-e8ze-umec-a7hx

vulnerability	VCID-e9jc-8mpp-fkgh

vulnerability	VCID-hfcx-1kuh-p3ez

vulnerability	VCID-hnyk-614g-yuhy

vulnerability	VCID-j8hk-bqnb-gycp

vulnerability	VCID-k8r2-2ak8-qkak

vulnerability	VCID-n56h-zuzr-ruhf

vulnerability	VCID-nyw8-q5ef-2fcv

vulnerability	VCID-pwh8-c992-vqav

vulnerability	VCID-qr1u-kcn9-cuf6

vulnerability	VCID-qxab-9uwr-yqhv

vulnerability	VCID-sdjb-gp4t-vbgt

vulnerability	VCID-uaf3-fyst-u7gm

vulnerability	VCID-uncp-sa58-ufdd

vulnerability	VCID-uq77-aax5-k7d8

vulnerability	VCID-uua1-9rt1-dfbz

vulnerability	VCID-w94g-xxea-23fb

vulnerability	VCID-wm4a-hcvt-vkbk

vulnerability	VCID-y3zj-acc7-jkau

vulnerability	VCID-z2bk-m2kw-h3c9

resource_url http://public2.vulnerablecode.io/packages/pkg:composer/typo3/cms-core@8.0.0

url pkg:composer/typo3/cms-core@9.0.0

purl pkg:composer/typo3/cms-core@9.0.0

is_vulnerable true

affected_by_vulnerabilities

vulnerability	VCID-1knh-es99-dubw

vulnerability	VCID-1prg-c74k-37ec

vulnerability	VCID-23ss-xwrm-1qcu

vulnerability	VCID-2m67-xdxz-ryc2

vulnerability	VCID-2rhr-8vaz-hqfj

vulnerability	VCID-3hta-35zx-zuc4

vulnerability	VCID-6ffw-r4k7-5qf8

vulnerability	VCID-6q7t-kdrg-8qc3

vulnerability	VCID-6rgp-dzw1-kycx

vulnerability	VCID-7ch1-q9f4-a7bt

vulnerability	VCID-7r4g-gxc6-hubh

vulnerability	VCID-82ds-xda8-5ye4

vulnerability	VCID-8sek-v483-8ueu

vulnerability	VCID-a1g9-pyz5-9fca

vulnerability	VCID-bzqv-s7g3-wff9

vulnerability	VCID-cf9m-qdyj-eyav

vulnerability	VCID-cv9x-ea8e-pufu

vulnerability	VCID-daz8-j1ns-rkgt

vulnerability	VCID-e8ze-umec-a7hx

vulnerability	VCID-e9jc-8mpp-fkgh

vulnerability	VCID-efrn-3w2z-xyaf

vulnerability	VCID-hfcx-1kuh-p3ez

vulnerability	VCID-hnyk-614g-yuhy

vulnerability	VCID-j8hk-bqnb-gycp

vulnerability	VCID-k8r2-2ak8-qkak

vulnerability	VCID-n56h-zuzr-ruhf

vulnerability	VCID-nyw8-q5ef-2fcv

vulnerability	VCID-pwh8-c992-vqav

vulnerability	VCID-qr1u-kcn9-cuf6

vulnerability	VCID-qxab-9uwr-yqhv

vulnerability	VCID-sdjb-gp4t-vbgt

vulnerability	VCID-uaf3-fyst-u7gm

vulnerability	VCID-uncp-sa58-ufdd

vulnerability	VCID-uq77-aax5-k7d8

vulnerability	VCID-uua1-9rt1-dfbz

vulnerability	VCID-v7b1-x8hy-2kcg

vulnerability	VCID-w94g-xxea-23fb

vulnerability	VCID-wm4a-hcvt-vkbk

vulnerability	VCID-x5jb-yj3d-qbdf

vulnerability	VCID-y3zj-acc7-jkau

vulnerability	VCID-z2bk-m2kw-h3c9

vulnerability	VCID-zbm9-cx69-wqg3

vulnerability	VCID-zhcb-h8ph-7uhk

resource_url http://public2.vulnerablecode.io/packages/pkg:composer/typo3/cms-core@9.0.0

url pkg:composer/typo3/cms-core@10.0.0

purl pkg:composer/typo3/cms-core@10.0.0

is_vulnerable true

affected_by_vulnerabilities

vulnerability	VCID-2rhr-8vaz-hqfj

vulnerability	VCID-3hta-35zx-zuc4

vulnerability	VCID-6a22-c7x5-sqe2

vulnerability	VCID-7r4g-gxc6-hubh

vulnerability	VCID-9tpm-8udy-c3cd

vulnerability	VCID-a1g9-pyz5-9fca

vulnerability	VCID-bzqv-s7g3-wff9

vulnerability	VCID-gxsd-4nd9-gqgn

vulnerability	VCID-j8hk-bqnb-gycp

vulnerability	VCID-sdjb-gp4t-vbgt

vulnerability	VCID-uq77-aax5-k7d8

vulnerability	VCID-uua1-9rt1-dfbz

vulnerability	VCID-w94g-xxea-23fb

vulnerability	VCID-y3zj-acc7-jkau

resource_url http://public2.vulnerablecode.io/packages/pkg:composer/typo3/cms-core@10.0.0

url pkg:composer/typo3/cms-core@11.0.0

purl pkg:composer/typo3/cms-core@11.0.0

is_vulnerable true

affected_by_vulnerabilities

vulnerability	VCID-2rhr-8vaz-hqfj

vulnerability	VCID-3hta-35zx-zuc4

vulnerability	VCID-6a22-c7x5-sqe2

vulnerability	VCID-7r4g-gxc6-hubh

vulnerability	VCID-9tpm-8udy-c3cd

vulnerability	VCID-a1g9-pyz5-9fca

vulnerability	VCID-bzqv-s7g3-wff9

vulnerability	VCID-fsx8-7qjz-2ubw

vulnerability	VCID-gxsd-4nd9-gqgn

vulnerability	VCID-j8hk-bqnb-gycp

vulnerability	VCID-sdjb-gp4t-vbgt

vulnerability	VCID-uq77-aax5-k7d8

vulnerability	VCID-uua1-9rt1-dfbz

vulnerability	VCID-w94g-xxea-23fb

vulnerability	VCID-y3zj-acc7-jkau

resource_url http://public2.vulnerablecode.io/packages/pkg:composer/typo3/cms-core@11.0.0

url pkg:composer/typo3/cms-core@12.0.0

purl pkg:composer/typo3/cms-core@12.0.0

is_vulnerable true

affected_by_vulnerabilities

vulnerability	VCID-3hta-35zx-zuc4

vulnerability	VCID-6a22-c7x5-sqe2

vulnerability	VCID-7r4g-gxc6-hubh

vulnerability	VCID-9tpm-8udy-c3cd

vulnerability	VCID-bzqv-s7g3-wff9

vulnerability	VCID-gxsd-4nd9-gqgn

vulnerability	VCID-uua1-9rt1-dfbz

vulnerability	VCID-w94g-xxea-23fb

vulnerability	VCID-y3zj-acc7-jkau

resource_url http://public2.vulnerablecode.io/packages/pkg:composer/typo3/cms-core@12.0.0

url pkg:composer/typo3/cms-core@13.0.0

purl pkg:composer/typo3/cms-core@13.0.0

is_vulnerable true

affected_by_vulnerabilities

vulnerability	VCID-3hta-35zx-zuc4

vulnerability	VCID-7r4g-gxc6-hubh

vulnerability	VCID-9tpm-8udy-c3cd

vulnerability	VCID-uua1-9rt1-dfbz

vulnerability	VCID-w94g-xxea-23fb

vulnerability	VCID-y3zj-acc7-jkau

resource_url http://public2.vulnerablecode.io/packages/pkg:composer/typo3/cms-core@13.0.0

References

reference_url	https://github.com/TYPO3/typo3
reference_id
reference_type
scores
url	https://github.com/TYPO3/typo3

reference_url	https://github.com/TYPO3/typo3/commit/47e897f8c7668ef299ecc9ce93f52cafbb3497ed
reference_id
reference_type
scores
url	https://github.com/TYPO3/typo3/commit/47e897f8c7668ef299ecc9ce93f52cafbb3497ed

reference_url	https://github.com/TYPO3/typo3/commit/6cc11761b8e2434fa4ccc9f096c65ca82569cfdf
reference_id
reference_type
scores
url	https://github.com/TYPO3/typo3/commit/6cc11761b8e2434fa4ccc9f096c65ca82569cfdf

reference_url	https://github.com/TYPO3/typo3/commit/84e07e35b880a544b517868432c56987d05d46d4
reference_id
reference_type
scores
url	https://github.com/TYPO3/typo3/commit/84e07e35b880a544b517868432c56987d05d46d4

reference_url	https://typo3.org/help/security-advisories
reference_id
reference_type
scores
url	https://typo3.org/help/security-advisories

reference_url	https://typo3.org/security/advisory/typo3-core-sa-2024-002
reference_id
reference_type
scores
url	https://typo3.org/security/advisory/typo3-core-sa-2024-002

reference_url	https://typo3.org/security/advisory/typo3-psa-2020-002
reference_id
reference_type
scores
url	https://typo3.org/security/advisory/typo3-psa-2020-002

reference_url	https://nvd.nist.gov/vuln/detail/CVE-2024-22188
reference_id	CVE-2024-22188
reference_type
scores
url	https://nvd.nist.gov/vuln/detail/CVE-2024-22188

reference_url	https://github.com/advisories/GHSA-5w2h-59j3-8x5w
reference_id	GHSA-5w2h-59j3-8x5w
reference_type
scores
url	https://github.com/advisories/GHSA-5w2h-59j3-8x5w

reference_url	https://github.com/TYPO3/typo3/security/advisories/GHSA-5w2h-59j3-8x5w
reference_id	GHSA-5w2h-59j3-8x5w
reference_type
scores
url	https://github.com/TYPO3/typo3/security/advisories/GHSA-5w2h-59j3-8x5w

Weaknesses

cwe_id	77
name	Improper Neutralization of Special Elements used in a Command ('Command Injection')
description	The product constructs all or part of a command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended command when it is sent to a downstream component.

cwe_id	94
name	Improper Control of Generation of Code ('Code Injection')
description	The product constructs all or part of a code segment using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the syntax or behavior of the intended code segment.

cwe_id	937
name	OWASP Top Ten 2013 Category A9 - Using Components with Known Vulnerabilities
description	Weaknesses in this category are related to the A9 category in the OWASP Top Ten 2013.

cwe_id	1035
name	OWASP Top Ten 2017 Category A9 - Using Components with Known Vulnerabilities
description	Weaknesses in this category are related to the A9 category in the OWASP Top Ten 2017.

Exploits

Severity_range_score null

Exploitability null

Weighted_severity null

Risk_score null

Resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-3hta-35zx-zuc4

Vulnerability Instance