CVE-2022-21829
Description
Concrete CMS versions 9.0.0-9.0.2 and 8.5.7 and below allow remote code execution via malicious zip files downloaded over HTTP.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Concrete CMS versions 9.0.0-9.0.2 and 8.5.7 and below allow remote code execution via malicious zip files downloaded over HTTP.
Vulnerability
Overview
CVE-2022-21829 is a remote code execution (RCE) vulnerability in Concrete CMS affecting versions 9.0.0 through 9.0.2 and 8.5.7 and earlier. The root cause is that the CMS could download ZIP files over unencrypted HTTP connections and subsequently execute code from those archives. The fix enforces the use of concrete_secure instead of concrete, ensuring that all requests are made over HTTPS even if the initial request arrives via HTTP [1][2].
Exploitation
Conditions
Exploitation requires high privileges (PR:H) and a complex attack (AC:H), but can be carried out over the network (AV:N) without user interaction (UI:N). An attacker with administrative access could trick the system into downloading a malicious ZIP file from an attacker-controlled HTTP server, leading to code execution. The vulnerability lies in the update or package download mechanism, which previously did not enforce HTTPS [2].
Impact
Successful exploitation grants the attacker remote code execution with high impact on confidentiality, integrity, and availability (C:H/I:H/A:H). The scope is changed (S:C), meaning the compromise can affect resources beyond the vulnerable component, potentially leading to full site takeover [2].
Mitigation
The vulnerability is patched in Concrete CMS versions 9.1.0 and 8.5.8. Users running affected versions should upgrade immediately. The release notes for 9.1.0 [1] and 8.5.8 [3] include the security fix. No workarounds are documented; upgrading is the recommended action.
AI Insight generated on May 21, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
concrete5/corePackagist | >= 9.0.0, < 9.1.0 | 9.1.0 |
concrete5/corePackagist | < 8.5.8 | 8.5.8 |
Affected products
2- Concrete CMS/Concrete CMSdescription
Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
9- github.com/advisories/GHSA-6xc4-7fmm-65q2ghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2022-21829ghsaADVISORY
- documentation.concretecms.org/developers/introduction/version-history/858-release-notesghsax_refsource_MISCWEB
- documentation.concretecms.org/developers/introduction/version-history/910-release-notesghsaWEB
- documentation.concretecms.org/developers/introduction/version-history/910-release-notes%2Cmitrex_refsource_MISC
- documentation.concretecms.org/developers/introduction/version-history/910-release-notes,ghsaWEB
- hackerone.com/reports/1482520ghsaWEB
- hackerone.com/reports/1482520%2Cmitrex_refsource_MISC
- hackerone.com/reports/1482520,ghsaWEB
News mentions
0No linked articles in our index yet.