CVE-2022-28888

Vulnerability

Spryker Commerce OS versions using the spryker/http module prior to 1.7.0 contain a vulnerability in the _fragment endpoint inherited from Symfony/Silex. The signing key used to validate _fragment URLs is predictable, allowing an attacker to forge valid URLs that invoke arbitrary PHP methods with certain restrictions. This can be leveraged to write arbitrary content to files on the filesystem, leading to remote command execution. [1]

Exploitation

An attacker can guess or derive the predictable signing value without authentication in many setups. By crafting a malicious _fragment URL, the attacker can call PHP methods that write attacker-controlled content to a file. The advisory demonstrates that this file write capability can be escalated to execute arbitrary PHP commands, typically by writing a PHP shell to a web-accessible directory. [1]

Impact

Successful exploitation allows an unauthenticated attacker to execute arbitrary operating system commands on the Spryker Commerce OS server. This can lead to full compromise of the application, including access to customer data, modification of shop content, and potential lateral movement within the network. [1]

Mitigation

The vulnerability is fixed in spryker/http module version 1.7.0 and later. Users should update to this version or newer. No workarounds are mentioned in the advisory. The CVE is not listed in CISA's Known Exploited Vulnerabilities catalog as of the publication date. [1]