Executive Summary

This vulnerability affects the Ghost content management system (CMS) versions up to 6.37.0. When Ghost is used behind a shared caching layer that shares cached content between different visitors, an unauthenticated user can send a specially crafted x-ghost-preview header. This header alters the rendered frontend response, which can then be cached and served to other visitors requesting the same page. This results in cache poisoning, where request-specific preview content is shared across users.

If the Ghost frontend and admin panel run on the same domain, this vulnerability can be exploited to take over staff user accounts. However, if they run on different domains, staff accounts are not exposed.

The issue is fixed in Ghost version 6.37.0.

Useful 0 Not Useful 0

Impact Analysis

This vulnerability can have severe impacts including unauthorized access and account takeover. Specifically, if the Ghost frontend and admin panel share the same domain, an attacker can exploit the cache poisoning to take over staff user accounts.

Additionally, the cache poisoning can cause users to see altered or malicious content that was intended for other users, potentially leading to misinformation or further exploitation.

The vulnerability has a high severity score (CVSS 9.6), indicating it can lead to significant confidentiality, integrity, and availability impacts.

Useful 0 Not Useful 0

Compliance Impact

The vulnerability allows an unauthenticated attacker to poison cached content, potentially leading to the takeover of staff user accounts when the frontend and admin panel share the same domain. This can result in unauthorized access to sensitive information and manipulation of data, which may violate confidentiality, integrity, and availability requirements mandated by standards such as GDPR and HIPAA.

Organizations using affected versions of Ghost behind shared caching layers could face compliance risks due to potential data breaches or unauthorized access stemming from this vulnerability.

Mitigation by updating to Ghost version 6.37.0 and resetting authentication credentials if compromise is suspected is critical to maintaining compliance.

Useful 0 Not Useful 0

Detection Guidance

This vulnerability can be detected by checking if your Ghost instance is running a vulnerable version (from 4.0.0 up to 6.36.0) behind a shared caching layer that caches responses shared between users.

One way to detect potential exploitation or presence of the vulnerability is to monitor HTTP requests and responses for the presence and handling of the `x-ghost-preview` header.

You can use network inspection tools like curl or tcpdump to observe requests with the `x-ghost-preview` header and check if the caching layer is improperly caching these responses.

• Use curl to send a request with the `x-ghost-preview` header and observe the response: curl -H "x-ghost-preview: test" https://your-ghost-site.com/page
• Use tcpdump or Wireshark to capture HTTP traffic and filter for requests containing the `x-ghost-preview` header to see if such requests are being cached and served to other users.
• Check your caching layer configuration (e.g., nginx proxy_cache, Cloudflare, Fastly) to see if it caches responses with the `x-ghost-preview` header. For nginx, inspect proxy_cache_key and cache bypass rules.

Useful 0 Not Useful 0

Mitigation Strategies

To mitigate this vulnerability, you should upgrade Ghost to version 6.37.0 or later, where the issue is fixed.

Additionally, avoid configurations where Ghost is behind a shared caching layer that shares cached content between different visitors, as this setup enables the cache poisoning vulnerability.

If running the frontend and admin panel on the same domain, consider separating them onto different domains to reduce exposure risk to staff accounts.

Useful 0 Not Useful 0