CVE-2024-32871

Name of the Vulnerable Software and Affected Versions Pimcore versions prior to 11.2.4

Description The Pimcore thumbnail generation can be exploited to flood the server with large files. Attackers can create files that are much larger in file size than the original by changing the file extension or scaling factor of the requested thumbnail. All Imagick supported file formats can be served without filtering, allowing attackers to create files in various formats, including text representations of images. This can lead to exposure of private data, such as GPS information in user-uploaded images. Additionally, the vulnerability can be used to create duplicated files on the server with arbitrary file formats. The scaling factor is not limited and can be modified via URL, allowing attackers to create new files with each request and potentially max out the CPU.

Recommendations For versions prior to 11.2.4, implement a list of allowed formats that the developer can modify if needed, and return an error or a 404 for unsupported formats. Limit scale factors with an allowlist to prevent exploitation. For non-maintained Pimcore versions, consider using webserver configuration to only serve allowed files. As a temporary workaround, consider disabling the thumbnail generation feature until a patch is available. Restrict access to the vulnerable thumbnail endpoint to minimize the risk of exploitation. Avoid using arbitrary file formats and scaling factors in thumbnail requests until the issue is resolved.