SCA: security update for getgrav/grav (GHSA-m7hx-hw6h-mqmc)

high Tenable Cloud Security Plugin ID 416814

Description

There are packages installed that are affected by a vulnerability referenced in the following CVE:

- Grav is an open-source, flat-file content management system. A file upload path traversal vulnerability
has been identified in the application prior to version 1.7.45, enabling attackers to replace or create
files with extensions like .json, .zip, .css, .gif, etc. This critical security flaw poses severe risks,
that can allow attackers to inject arbitrary code on the server, undermine integrity of backup files by
overwriting existing files or creating new ones, and exfiltrate sensitive data using CSS exfiltration
techniques. Upgrading to patched version 1.7.45 can mitigate the issue. (CVE-2024-27921)

See Also

https://github.com/advisories/GHSA-m7hx-hw6h-mqmc

Plugin Details

Severity: High

ID: 416814

Version: Revision 1.8

Type: Local

Family: SCA Checks

Published: 1/23/2025

Updated: 7/2/2026

Supported Sensors: Tenable Cloud Security, Tenable Self-Hosted Container Security

Risk Information

VPR

Risk Factor: Medium

Score: 4.9

Percentile: 57.58

Vendor

Vendor Severity: High

CVSS v2

Risk Factor: High

Base Score: 9

Temporal Score: 7

Vector: CVSS2#AV:N/AC:L/Au:S/C:C/I:C/A:C

CVSS Score Source: CVE-2024-27921

CVSS v3

Risk Factor: High

Base Score: 8.8

Temporal Score: 7.9

Vector: CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Temporal Vector: CVSS:3.0/E:P/RL:O/RC:C

Vulnerability Information

Exploit Available: true

Exploit Ease: Exploits are available

Patch Publication Date: 3/22/2024

Vulnerability Publication Date: 3/21/2024

Reference Information

CVE: CVE-2024-27921

cwe: CWE-22