TYPO3-EXT-SA-2020-014 addresses the same vulnerability - the functionality has been extracted back then during TYPO3 v7 development to extension mediace.
- Component Type: TYPO3 CMS
- Release Date: July 28, 2020
- Vulnerability Type: Sensitive Information Disclosure
- Affected Versions: 6.2.16-6.2.51 ELTS
- Severity: critical
- Suggested CVSS: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H/E:F/RL:O/RC:C
- References: CVE-2020-15086
It has been discovered that an internal verification mechanism can be used to generate arbitrary checksums. This allows to inject arbitrary data having a valid cryptographic message authentication code (HMAC-SHA1) and can lead to various attack chains as described below.
- TYPO3-CORE-SA-2020-007, CVE-2020-15099: Potential Privilege Escalation
- the database server used for a TYPO3 installation must be accessible for an attacker (either via internet or shared hosting network)
- CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H/E:F/RL:O/RC:C (7.5, high)
- TYPO3-CORE-SA-2016-013, CVE-2016-5091: Insecure Deserialization & Remote Code Execution
- an attacker must have access to at least one Extbase plugin or module action in a TYPO3 installation
- CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H/E:F/RL:O/RC:C (9.1, critical)
The overall severity of this vulnerability is critical (9.1) based on mentioned attack chains and the fact it does not require any privileges.
Due to the seriousness and ease of exploitation of this vulnerability and the still widespread use of TYPO3 6.2, we have decided to make this update available to all TYPO3 6.2 users, not just TYPO3 ELTS 6.2 customers.
Update to TYPO3 version 6.2.52 ELTS.
Outdated TYPO3 projects that are not covered by the ELTS release stream have to apply a patch file manually.
- typo3-psa-2020-001-6-2.patch.sig (GPG detached signature)
- 248ee155056037f142a4d3d718d52e99b074c503508ec1a2d4b06839b8b6fba9 (SHA256 checksum)
cd typo3_src wget typo3.azureedge.net/typo3patches/typo3-psa-2020-001-6-2.patch shasum -a 256 typo3-psa-2020-001-6-2.patch # please verify SHA256 checksum as shown above patch -p1 < typo3-psa-2020-001-6-2.patch rm typo3-psa-2020-001-6-2.patch
Thanks to TYPO3 security team member Oliver Hader who reported and fixed the issue.
Thanks to TYPO3 GmbH team member Andreas Fernandez for providing the back-port to TYPO3 6.2.
All security related code changes are tagged so that you can easily look them up in our review system.