High severityNVD Advisory· Published Jun 4, 2024· Updated Aug 2, 2024
Pimcore Vulnerable to Flooding Server with Thumbnail files
CVE-2024-32871
Description
Pimcore is an Open Source Data & Experience Management Platform. The Pimcore thumbnail generation can be used to flood the server with large files. By changing the file extension or scaling factor of the requested thumbnail, attackers can create files that are much larger in file size than the original. This vulnerability is fixed in 11.2.4.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
pimcore/pimcorePackagist | >= 11.0.0, < 11.2.4 | 11.2.4 |
Affected products
1Patches
238af70b3130fFix thumbnail generation if asset or config is null
4 files changed · +31 −17
models/Asset/Document/ImageThumbnail.php+5 −4 modified@@ -76,14 +76,15 @@ public function getPath(array $args = []): string */ public function generate(bool $deferredAllowed = true): void { - if (!$this->checkAllowedFormats($this->config->getFormat(), $this->asset)) { - throw new ThumbnailFormatNotSupportedException(); - } - $deferred = $deferredAllowed && $this->deferred; $generated = false; if ($this->asset && empty($this->pathReference)) { + + if (!$this->checkAllowedFormats($this->config->getFormat(), $this->asset)) { + throw new ThumbnailFormatNotSupportedException(); + } + $config = $this->getConfig(); $cacheFileStream = null; $config->setFilenameSuffix('page-' . $this->page);
models/Asset/Image/Thumbnail.php+19 −7 modified@@ -112,13 +112,7 @@ protected function useOriginalFile(string $filename): bool */ public function generate(bool $deferredAllowed = true): void { - if (!$this->checkAllowedFormats($this->config->getFormat(), $this->asset)) { - throw new ThumbnailFormatNotSupportedException(); - } - - if (!$this->checkMaxScalingFactor($this->config->getHighResolution())) { - throw new ThumbnailMaxScalingFactorException(); - } + $this->validate(); $deferred = false; $generated = false; @@ -460,4 +454,22 @@ private function getSrcset(Config $thumbConfig, Image $image, array $options, ?s return implode(', ', $srcSetValues); } + + /** + * @throws ThumbnailFormatNotSupportedException + * @throws ThumbnailMaxScalingFactorException + */ + private function validate(): void + { + if(!$this->asset || !$this->config) { + return; + } + if (!$this->checkAllowedFormats($this->config->getFormat(), $this->asset)) { + throw new ThumbnailFormatNotSupportedException(); + } + + if (!$this->checkMaxScalingFactor($this->config->getHighResolution())) { + throw new ThumbnailMaxScalingFactorException(); + } + } }
models/Asset/Thumbnail/ImageThumbnailTrait.php+1 −1 modified@@ -434,7 +434,7 @@ private function checkAllowedFormats(string $format, ?Asset $asset = null): bool { $format = strtolower($format); if($asset) { - $original = pathinfo($asset->getRealFullPath(), PATHINFO_EXTENSION); + $original = strtolower(pathinfo($asset->getRealFullPath(), PATHINFO_EXTENSION)); if ($format === $original || $format === 'source') { return true; }
models/Asset/Video/ImageThumbnail.php+6 −5 modified@@ -77,20 +77,21 @@ public function getPath(array $args = []): string } /** - * @throws Exception + * @throws Exception|\League\Flysystem\FilesystemException|ThumbnailFormatNotSupportedException * * @internal */ public function generate(bool $deferredAllowed = true): void { - if (!$this->checkAllowedFormats($this->config->getFormat(), $this->asset)) { - throw new ThumbnailFormatNotSupportedException(); - } - $deferred = $deferredAllowed && $this->deferred; $generated = false; if ($this->asset && empty($this->pathReference)) { + + if (!$this->checkAllowedFormats($this->config->getFormat(), $this->asset)) { + throw new ThumbnailFormatNotSupportedException(); + } + $cs = $this->asset->getCustomSetting('image_thumbnail_time'); $im = $this->asset->getCustomSetting('image_thumbnail_asset');
a6821a16ea38Merge pull request from GHSA-277c-5vvj-9pwx
10 files changed · +177 −3
bundles/CoreBundle/src/DependencyInjection/Configuration.php+12 −0 modified@@ -352,6 +352,18 @@ private function addAssetNode(ArrayNodeDefinition $rootNode): void ->arrayNode('assets') ->addDefaultsIfNotSet() ->children() + ->arrayNode('thumbnails') + ->addDefaultsIfNotSet() + ->children() + ->arrayNode('allowed_formats') + ->defaultValue(['avif', 'eps', 'gif', 'jpeg', 'jpg', 'pjpeg', 'png', 'svg', 'tiff', 'webm', 'webp']) + ->scalarPrototype()->end() + ->end() + ->floatNode('max_scaling_factor') + ->defaultValue(5.0) + ->end() + ->end() + ->end() ->arrayNode('frontend_prefixes') ->addDefaultsIfNotSet() ->children()
doc/04_Assets/03_Working_with_Thumbnails/01_Image_Thumbnails.md+11 −1 modified@@ -9,7 +9,8 @@ which are not stored as an asset inside Pimcore. > **IMPORTANT** > Use Imagick PECL extension for best results, GDlib is just a fallback with limited functionality > (only PNG, JPG, GIF) and less quality! -> Using ImageMagick Pimcore supports hundreds of formats including: AI, EPS, TIFF, PNG, JPG, GIF, PSD, ... +> Using ImageMagick Pimcore can support hundreds of formats including: AI, EPS, TIFF, PNG, JPG, GIF, PSD, etc. +> Not all formats are allowed out of the box. To extend the list [see](./README.md#allowed-formats). To use the thumbnailing service of Pimcore, you have to create a transformation pipeline first. To do so, open _Settings_ > _Thumbnails_ and click on _Add Thumbnail_ to create a new configuration. @@ -329,6 +330,15 @@ This is a special functionality to allow embedding high resolution (ppi/dpi) ima The following is only necessary in special use-cases like Web-to-Print, in typical web-based cases, Pimcore automatically adds the `srcset` attribute to `<img>` and `<picture>` tags automatically, so no manual work is necessary. +The high resolution scaling factor is limited to `5.0` eg. `@5x`. Float values are supported. +If you need to scale an image more than that, you can use the `max_scaling_factor` option in the configuration. +```yaml + pimcore: + assets: + thumbnails: + max_scaling_factor: 6.0 +``` + ### Use in the Thumbnail Configuration: 
doc/04_Assets/03_Working_with_Thumbnails/README.md+26 −1 modified@@ -4,7 +4,32 @@ Pimcore provides a sophisticated thumbnail processing engine for calculating thu different output channels Pimcore can calculate and provide optimized images in terms of dimensions, file sizes, formats and much more. -This functionality allows true single source publishing with Pimcore. +This functionality allows true single source publishing with Pimcore. + +### Allowed formats +Pimcore allows the following formats for thumbnails out of the box: +`'avif', 'eps', 'gif', 'jpeg', 'jpg', 'pjpeg', 'png', 'svg', 'tiff', 'webm', 'webp'`. + +If you want to use a different format, you can easily extend the list of supported formats. +Keep in mind that you must copy the whole list of formats and add your desired format to it. +```yaml +pimcore: + assets: + thumbnails: + allowed_formats: + - 'avif' + - 'eps' + - 'gif' + - 'jpeg' + - 'jpg' + - 'pjpeg' + - 'png' + - 'svg' + - 'tiff' + - 'webm' + - 'webp' + - 'pdf' # Add your desired format here +``` ##### Thumbnails are available for following file types: * [Image Thumbnails](./01_Image_Thumbnails.md)
doc/23_Installation_and_Upgrade/09_Upgrade_Notes/README.md+30 −0 modified@@ -1,5 +1,35 @@ # Upgrade Notes +## Pimcore 11.2.4 +### Assets Thumbnails +- Thumbnail generation for Assets, Documents and Videos now only support the following formats out of the box: `'avif', 'eps', 'gif', 'jpeg', 'jpg', 'pjpeg', 'png', 'svg', 'tiff', 'webm', 'webp'`. +- You can extend this list by adding your formats on the bottom: +```yaml + pimcore: + assets: + thumbnails: + allowed_formats: + - 'avif' + - 'eps' + - 'gif' + - 'jpeg' + - 'jpg' + - 'pjpeg' + - 'png' + - 'svg' + - 'tiff' + - 'webm' + - 'webp' + - 'pdf' # Add your desired format here +``` +- High resolution scaling factor for image thumbnails has now been limited to a maximum of `5.0`. If you need to scale an image more than that, you can use the `max_scaling_factor` option in the configuration. +```yaml + pimcore: + assets: + thumbnails: + max_scaling_factor: 6.0 +``` + ## Pimcore 11.2.0 ### Elements #### [Documents]:
models/Asset/Document/ImageThumbnail.php+8 −0 modified@@ -24,6 +24,7 @@ use Pimcore\Model; use Pimcore\Model\Asset\Image; use Pimcore\Model\Exception\NotFoundException; +use Pimcore\Model\Exception\ThumbnailFormatNotSupportedException; use Pimcore\Tool\Storage; use Symfony\Component\EventDispatcher\GenericEvent; use Symfony\Component\Lock\LockFactory; @@ -70,8 +71,15 @@ public function getPath(array $args = []): string return $path; } + /** + * @throws ThumbnailFormatNotSupportedException + */ public function generate(bool $deferredAllowed = true): void { + if (!$this->checkAllowedFormats($this->config->getFormat())) { + throw new ThumbnailFormatNotSupportedException(); + } + $deferred = $deferredAllowed && $this->deferred; $generated = false;
models/Asset/Image/Thumbnail.php+12 −0 modified@@ -24,6 +24,8 @@ use Pimcore\Model\Asset\Image\Thumbnail\Config; use Pimcore\Model\Asset\Thumbnail\ImageThumbnailTrait; use Pimcore\Model\Exception\NotFoundException; +use Pimcore\Model\Exception\ThumbnailFormatNotSupportedException; +use Pimcore\Model\Exception\ThumbnailMaxScalingFactorException; use Pimcore\Tool; use Symfony\Component\EventDispatcher\GenericEvent; @@ -103,10 +105,20 @@ protected function useOriginalFile(string $filename): bool } /** + * @throws ThumbnailFormatNotSupportedException + * @throws ThumbnailMaxScalingFactorException * @internal */ public function generate(bool $deferredAllowed = true): void { + if (!$this->checkAllowedFormats($this->config->getFormat(), $this->asset)) { + throw new ThumbnailFormatNotSupportedException(); + } + + if (!$this->checkMaxScalingFactor($this->config->getHighResolution())) { + throw new ThumbnailMaxScalingFactorException(); + } + $deferred = false; $generated = false;
models/Asset/Thumbnail/ImageThumbnailTrait.php+25 −0 modified@@ -16,6 +16,7 @@ namespace Pimcore\Model\Asset\Thumbnail; +use Pimcore\Config as PimcoreConfig; use Pimcore\Helper\TemporaryFileHelperTrait; use Pimcore\Model\Asset; use Pimcore\Model\Asset\Image; @@ -428,4 +429,28 @@ public function getAsFormat(string $format): static return $thumb; } + + private function checkAllowedFormats(string $format, ?Asset $asset = null): bool + { + $format = strtolower($format); + if($asset) { + $original = pathinfo($asset->getRealFullPath(), PATHINFO_EXTENSION); + if ($format === $original || $format === 'source') { + return true; + } + } + + $assetConfig = PimcoreConfig::getSystemConfiguration('assets'); + return in_array( + $format, + $assetConfig['thumbnails']['allowed_formats'], + true + ); + } + + private function checkMaxScalingFactor(float $scalingFactor): bool + { + $assetConfig = PimcoreConfig::getSystemConfiguration('assets'); + return $scalingFactor <= $assetConfig['thumbnails']['max_scaling_factor']; + } }
models/Asset/Video/ImageThumbnail.php+7 −1 modified@@ -16,12 +16,14 @@ namespace Pimcore\Model\Asset\Video; +use Exception; use Pimcore\Event\AssetEvents; use Pimcore\Event\FrontendEvents; use Pimcore\File; use Pimcore\Logger; use Pimcore\Model; use Pimcore\Model\Asset\Image; +use Pimcore\Model\Exception\ThumbnailFormatNotSupportedException; use Pimcore\Tool\Storage; use Symfony\Component\EventDispatcher\GenericEvent; use Symfony\Component\Lock\LockFactory; @@ -75,12 +77,16 @@ public function getPath(array $args = []): string } /** - * @throws \Exception + * @throws Exception * * @internal */ public function generate(bool $deferredAllowed = true): void { + if (!$this->checkAllowedFormats($this->config->getFormat())) { + throw new ThumbnailFormatNotSupportedException(); + } + $deferred = $deferredAllowed && $this->deferred; $generated = false;
models/Exception/ThumbnailFormatNotSupportedException.php+23 −0 added@@ -0,0 +1,23 @@ +<?php +declare(strict_types=1); + +/** + * Pimcore + * + * This source file is available under two different licenses: + * - GNU General Public License version 3 (GPLv3) + * - Pimcore Commercial License (PCL) + * Full copyright and license information is available in + * LICENSE.md which is distributed with this source code. + * + * @copyright Copyright (c) Pimcore GmbH (http://www.pimcore.org) + * @license http://www.pimcore.org/license GPLv3 and PCL + */ + +namespace Pimcore\Model\Exception; + +use Exception; + +final class ThumbnailFormatNotSupportedException extends Exception +{ +}
models/Exception/ThumbnailMaxScalingFactorException.php+23 −0 added@@ -0,0 +1,23 @@ +<?php +declare(strict_types=1); + +/** + * Pimcore + * + * This source file is available under two different licenses: + * - GNU General Public License version 3 (GPLv3) + * - Pimcore Commercial License (PCL) + * Full copyright and license information is available in + * LICENSE.md which is distributed with this source code. + * + * @copyright Copyright (c) Pimcore GmbH (http://www.pimcore.org) + * @license http://www.pimcore.org/license GPLv3 and PCL + */ + +namespace Pimcore\Model\Exception; + +use Exception; + +final class ThumbnailMaxScalingFactorException extends Exception +{ +}
Vulnerability mechanics
Generated by null/stub on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
5- github.com/advisories/GHSA-277c-5vvj-9pwxghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2024-32871ghsaADVISORY
- github.com/pimcore/pimcore/commit/38af70b3130f16fc27f2aea34e2943d7bdaaba06ghsax_refsource_MISCWEB
- github.com/pimcore/pimcore/commit/a6821a16ea38086bf6012e682e1743488244bd85ghsax_refsource_MISCWEB
- github.com/pimcore/pimcore/security/advisories/GHSA-277c-5vvj-9pwxghsax_refsource_CONFIRMWEB
News mentions
0No linked articles in our index yet.