We have been made aware of a security vulnerability in Ghost 4.x. This is patched in 4.3.3 - which has already been released and rolled out on on Ghost(Pro). Self-hosters should update to 4.3.3 as soon as possible, or if for any reason you cannot update, implement one of the recommendations outlined below.
Details:
An unused endpoint added during the development of 4.0.0 is vulnerable to allowing untrusted users access to Ghost Admin. An attacker may gain access by convincing an authenticated Ghost Staff User to click a link containing malicious code. Users do not need to enter credentials and may not know they’ve visited a malicious site for this exploit to be effective.
Updating to 4.3.3 is critical to the security of your site.
Ghost(Pro):
Ghost(Pro) has already been patched. We have investigated and found no evidence that the issue was exploited prior to the patch being added - meaning no customer sites have been compromised. As Ghost(Pro) is maintained by the Ghost core team, it is always patched immediately when any security incident is reported.
Patch & Workarounds:
The patch in 4.3.3 removes the unused endpoint, and is the quickest complete solution.
As a workaround, if for any reason you cannot update your Ghost instance, you can do either of the following:
- Suspend Staff Users, and then log out of Admin until you are able update.
- Block access to the endpoint manually at your edge. For details see advisory.
Disclosure:
Full details of the vulnerability have been published through GitHub Advisories. We’ve also published a notification to all affected sites that will appear in Ghost Admin and shared the details here on the forum.
To aid with disclosures in future, we’re also updating Ghost to be able to self-notify site administrators by email when there are any critical updates available that require immediate attention.
We’re really grateful to Paul Gerste of SonarSource (https://www.sonarsource.com/) for finding this vulnerability, reporting it responsibly following our security policy, and for his prompt replies to our followup questions.