High severityNVD Advisory· Published Dec 15, 2021· Updated Aug 4, 2024

PHP file inclusion in the Sulu admin panel

CVE-2021-43836

Description

Sulu is an open-source PHP content management system based on the Symfony framework. In affected versions an attacker can read arbitrary local files via a PHP file include. In a default configuration this also leads to remote code execution. The problem is patched with the Versions 1.6.44, 2.2.18, 2.3.8, 2.4.0. For users unable to upgrade overwrite the service sulu_route.generator.expression_token_provider and wrap the translator before passing it to the expression language.

Affected packages

Versions sourced from the GitHub Security Advisory.

Package	Affected versions	Patched versions
sulu/suluPackagist	< 1.6.44	1.6.44
sulu/suluPackagist	>= 2.0.0, < 2.2.18	2.2.18
sulu/suluPackagist	>= 2.3.0, < 2.3.8	2.3.8
sulu/suluPackagist	>= 2.4.0-RC1, < 2.4.0	2.4.0

Affected products

Sulu/Suluv5
Range: < 1.6.44

Patches

9c948f9ce350

Merge pull request from GHSA-vx6j-pjrh-vgjh

https://github.com/sulu/suluJohannes WachterDec 7, 2021via ghsa

commit

3 files changed · +65 −2

src/Sulu/Bundle/RouteBundle/Generator/SymfonyExpressionTokenProvider.php+4 −1 modified

@@ -44,7 +44,10 @@ public function provide($entity, $name)
                 $this->translator->setLocale($entity->getLocale());
             }
 
-            $result = $this->expressionLanguage->evaluate($name, ['object' => $entity, 'translator' => $this->translator]);
+            $result = $this->expressionLanguage->evaluate($name, [
+                'object' => $entity,
+                'translator' => new TranslatorWrapper($this->translator),
+            ]);
             $this->translator->setLocale($locale);
 
             return $result;

src/Sulu/Bundle/RouteBundle/Generator/TranslatorWrapper.php+41 −0 added

@@ -0,0 +1,41 @@
+<?php
+
+namespace Sulu\Bundle\RouteBundle\Generator;
+
+use Symfony\Component\Translation\TranslatorInterface;
+
+/**
+ * @internal
+ */
+class TranslatorWrapper implements TranslatorInterface
+{
+    /**
+     * @var TranslatorInterface
+     */
+    private $translator;
+
+    public function __construct(TranslatorInterface $translator)
+    {
+        $this->translator = $translator;
+    }
+
+    public function trans($id, array $parameters = [], $domain = null, $locale = null)
+    {
+        return $this->translator->trans($id, $parameters, $domain, $locale);
+    }
+
+    public function transChoice($id, $number, array $parameters = [], $domain = null, $locale = null)
+    {
+        return $this->translator->transChoice($id, $number, $parameters, $domain, $locale);
+    }
+
+    public function setLocale($locale)
+    {
+        throw new \Exception('Not supported.');
+    }
+
+    public function getLocale()
+    {
+        return $this->translator->getLocale();
+    }
+}

src/Sulu/Bundle/RouteBundle/Tests/Unit/Generator/SymfonyExpressionTokenProviderTest.php+20 −1 modified

@@ -11,9 +11,11 @@
 
 namespace Sulu\Bundle\RouteBundle\Tests\Unit\Generator;
 
+use Prophecy\Argument;
 use Sulu\Bundle\RouteBundle\Generator\CannotEvaluateTokenException;
 use Sulu\Bundle\RouteBundle\Generator\SymfonyExpressionTokenProvider;
 use Sulu\Bundle\RouteBundle\Model\RoutableInterface;
+use Symfony\Component\Translation\Translator;
 use Symfony\Component\Translation\TranslatorInterface;
 
 class SymfonyExpressionTokenProviderTest extends \PHPUnit_Framework_TestCase
@@ -37,14 +39,31 @@ public function testResolveTranslation()
         $translator = $this->prophesize(TranslatorInterface::class);
         $translator->getLocale()->willReturn('de');
         $translator->setLocale('de')->shouldBeCalled();
-        $translator->trans('test-key')->willReturn('TEST');
+        $translator->trans('test-key', Argument::cetera())->willReturn('TEST');
         $entity = $this->prophesize(RoutableInterface::class);
         $entity->getLocale()->willReturn('en');
 
         $provider = new SymfonyExpressionTokenProvider($translator->reveal());
         $this->assertEquals('TEST', $provider->provide($entity, 'translator.trans("test-key")'));
     }
 
+    public function testResolveTranslationAddResource()
+    {
+        $this->setExpectedException(CannotEvaluateTokenException::class);
+
+        $translator = $this->prophesize(Translator::class);
+        $translator->getLocale()->willReturn('de');
+        $translator->setLocale('de')->shouldBeCalled();
+        $entity = $this->prophesize(RoutableInterface::class);
+        $entity->getLocale()->willReturn('en');
+
+        $entity->getLocale = function() {
+            return 'en';
+        };
+        $provider = new SymfonyExpressionTokenProvider($translator->reveal());
+        $provider->provide($entity, 'translator.addResource("php", "/test.php")');
+    }
+
     public function testResolveNotExists()
     {
         $this->setExpectedException(CannotEvaluateTokenException::class);

Vulnerability mechanics

Generated by null/stub on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.

References

github.com/advisories/GHSA-vx6j-pjrh-vgjhghsaADVISORY
nvd.nist.gov/vuln/detail/CVE-2021-43836ghsaADVISORY
github.com/sulu/sulu/commit/9c948f9ce350c68b53af8c3910e2cefc7f722b54ghsax_refsource_MISCWEB
github.com/sulu/sulu/security/advisories/GHSA-vx6j-pjrh-vgjhghsax_refsource_CONFIRMWEB

News mentions

No linked articles in our index yet.

cvss	0.455
epss	0.003
exploit	0.000
kev	0.000
patch	-0.070
ransomware	0.000