Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 847979 (CVE-2021-40317, CVE-2021-40553, CVE-2022-32297, CVE-2022-37183, CVE-2023-26876) - www-apps/piwigo: multiple vulnerabilities
Summary: www-apps/piwigo: multiple vulnerabilities
Status: IN_PROGRESS
Alias: CVE-2021-40317, CVE-2021-40553, CVE-2022-32297, CVE-2022-37183, CVE-2023-26876
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal trivial
Assignee: Gentoo Security
URL: https://github.com/Piwigo/Piwigo/issu...
Whiteboard: ~1 [??]
Keywords:
Depends on:
Blocks:
 
Reported: 2022-05-28 22:03 UTC by John Helmert III
Modified: 2023-05-12 15:00 UTC (History)
1 user (show)

See Also:
Package list:
Runtime testing required: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description John Helmert III archtester Gentoo Infrastructure gentoo-dev Security 2022-05-28 22:03:49 UTC
CVE-2021-40317:

Piwigo 11.5.0 is affected by a SQL injection vulnerability via admin.php and the id parameter.

This was closed by the reporter as completed, but without any reference to a fix.
Comment 1 Bernard Cafarelli gentoo-dev 2022-06-15 18:06:03 UTC
This can probably be included in bug #828581 ? It has several CVEs including SQL injections (and similar to others the github issues are marked as fixed without clear link to fix patch/fixed version...)
Comment 2 John Helmert III archtester Gentoo Infrastructure gentoo-dev Security 2022-07-05 03:55:53 UTC
CVE-2021-40553 (https://github.com/Yang9999999/vuln/blob/main/README.md):

piwigo 11.5.0 is affected by a remote code execution (RCE) vulnerability in the LocalFiles Editor.

No link to a report upstream in this writeup.
Comment 3 Bernard Cafarelli gentoo-dev 2022-07-05 22:00:24 UTC
To be on the safe side I only left just-released 12.3.0 in tree:
https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=88b0c6b9e0a221c06555546615437e8050f8e8e4

(this bug and also #828581)
Comment 4 John Helmert III archtester Gentoo Infrastructure gentoo-dev Security 2022-07-15 02:42:12 UTC
CVE-2022-32297 (https://github.com/sth276/research/blob/main/piwigo_vul/Second-Order%20SQL%20Injection%20Vulnerabilities%20in%20Piwigo.md):

Piwigo v12.2.0 was discovered to contain SQL injection vulnerability via the Search function.

Of course, despite the CVE description, the writeup says <12.2.0 is
affected. I've asked the person to point out the patch:
https://github.com/sth276/research/issues/1
Comment 5 John Helmert III archtester Gentoo Infrastructure gentoo-dev Security 2022-09-02 01:59:49 UTC
CVE-2022-37183 (https://github.com/nu11secur1ty/CVE-nu11secur1ty/tree/main/vendors/Piwigo/2022/12.3.0):

Piwigo 12.3.0 is vulnerable to Cross Site Scripting (XSS) via /search/1940/created-monthly-list.

No reference to any upstream report or fix. This reads a bit like the
stupid Grafana CVEs, where the "researcher" finds something they think
looks like a problem, makes an "exploit" which looks like it exploits
a different type of vulnerability, but requests a CVE for the original
"problem". From URL:

"The attacker can trick a user to visit some crafted URL that is connected exactly to this system."

This is typical of XSS exploits, getting someone to click on a crafted
URL gets a victim to run attacker-crafted JS in the context of the
victim's browser/session.

"Then he can trick the user to visit some malicious address that the
victim will think is connected with the original web address it
depending on the scenario."

But.. this reads a bit like they've found an open redirect. Nothing in
the writeup looks like the "victim" is redirected to a different
website, and no XSS is demonstrated. Putting garbage in the URL does
indeed make some garbage appear on the page, but that's not the same
as XSS.
Comment 6 John Helmert III archtester Gentoo Infrastructure gentoo-dev Security 2023-04-24 01:03:58 UTC
CVE-2023-26876 (https://gist.github.com/rodnt/a190d14d1715890d8df19bad58b90693)

SQL injection vulnerability found in Piwigo v.13.5.0 and before allows a remote attacker to execute arbitrary code via the filter_user_id parameter to the admin.php?page=history&filter_image_id=&filter_user_id endpoint.

Of course, SQL injection isn't really "arbitrary code execution"...
Comment 7 Bernard Cafarelli gentoo-dev 2023-05-12 14:55:11 UTC
I guess that last one is last mentioned issue in https://piwigo.org/release-13.7.0
1876 / Security
[History page] SQL injection issue found in 13.5.0

(2 other SQL injections are mentioned)

In all cases I am adding 13.7.0 and dropping previous versions
Comment 8 Larry the Git Cow gentoo-dev 2023-05-12 15:00:25 UTC
The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=a6d53ca50646592077760070f329bb3175d035cf

commit a6d53ca50646592077760070f329bb3175d035cf
Author:     Bernard Cafarelli <voyageur@gentoo.org>
AuthorDate: 2023-05-12 14:58:00 +0000
Commit:     Bernard Cafarelli <voyageur@gentoo.org>
CommitDate: 2023-05-12 14:58:39 +0000

    www-apps/piwigo: 13.7.0 bump, drop older versions for security vulns
    
    Bug: https://bugs.gentoo.org/847979
    Signed-off-by: Bernard Cafarelli <voyageur@gentoo.org>

 www-apps/piwigo/Manifest                           |  3 +-
 www-apps/piwigo/piwigo-13.6.0.ebuild               | 44 ----------------------
 .../{piwigo-13.5.0.ebuild => piwigo-13.7.0.ebuild} |  0
 3 files changed, 1 insertion(+), 46 deletions(-)