GHSA-25fx-3c2q-cq46
Suggest an improvement- Source
- https://github.com/advisories/GHSA-25fx-3c2q-cq46
- Import Source
- https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2023/05/GHSA-25fx-3c2q-cq46/GHSA-25fx-3c2q-cq46.json
- JSON Data
- https://api.osv.dev/v1/vulns/GHSA-25fx-3c2q-cq46
- Aliases
- Published
- 2023-05-17T15:48:04Z
- Modified
- 2024-02-16T07:56:20.493475Z
- Severity
-
- 7.2 (High) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H CVSS Calculator
- Summary
- pimcore/customer-management-framework-bundle has SQL Injection vulnerability in Segment Assignment query
- Details
-
Impact
An administrator user can use the inheritable segments feature to execute his own blind SQL queries.
A user with administrator privileges can run any SQL query on database. This can be used to retrieve sensitive data, change database information or any other malicious activity against the database.
Patches
Update to version 3.3.10 or apply this patch manually https://github.com/pimcore/customer-data-framework/commit/76df151737b7964ce5169fdf9e27a0ad801757fe.patch
Workarounds
Apply https://github.com/pimcore/customer-data-framework/commit/76df151737b7964ce5169fdf9e27a0ad801757fe.patch manually.
References
https://huntr.dev/bounties/cf398528-819f-456e-88e7-c06d268d3f44/
- Database specific
{ "nvd_published_at": "2023-05-17T11:15:09Z", "cwe_ids": [ "CWE-89" ], "severity": "HIGH", "github_reviewed": true, "github_reviewed_at": "2023-05-17T15:48:04Z" }- References
-
- https://github.com/pimcore/customer-data-framework/security/advisories/GHSA-25fx-3c2q-cq46
- https://nvd.nist.gov/vuln/detail/CVE-2023-2756
- https://github.com/pimcore/customer-data-framework/commit/76df151737b7964ce5169fdf9e27a0ad801757fe
- https://github.com/pimcore/customer-data-framework
- https://huntr.dev/bounties/cf398528-819f-456e-88e7-c06d268d3f44
Affected packages
Packagist / pimcore/customer-management-framework-bundle
Package
- Name
- pimcore/customer-management-framework-bundle
- Purl
- pkg:composer/pimcore/customer-management-framework-bundle
Affected ranges
- Type
- ECOSYSTEM
- Events
-
Introduced0Unknown introduced version / All previous versions are affectedFixed3.3.10
Affected versions
1.*
1.0.0
1.0.1
1.3.17
v1.*
v1.1.0
v1.1.1
v1.2.0
v1.2.1
v1.2.2
v1.2.3
v1.2.4
v1.2.5
v1.2.6
v1.3.0
v1.3.1
v1.3.2
v1.3.3
v1.3.4
v1.3.5
v1.3.6
v1.3.7
v1.3.8
v1.3.9
v1.3.10
v1.3.11
v1.3.12
v1.3.13
v1.3.14
v1.3.15
v1.3.16
v1.3.18
v1.3.19
v1.3.20
v1.3.21
v1.4.0
v1.4.1
v1.4.2
v1.4.3
v1.4.4
v1.4.5
v1.4.6
v1.4.7
v1.4.8
v1.4.9
v1.4.10
v1.4.11
v1.4.12
v1.5.0
v1.5.1
v1.5.2
v1.5.3
v1.5.4
v1.5.5
v1.6
v1.6.1
v1.6.2
v1.6.3
v1.6.4
v1.6.5
v1.6.6
v1.6.7
v1.7.0
v1.7.1
v1.7.2
v1.7.3
v1.7.4
v1.8.0
v1.9.0
v1.9.1
v1.10.0
v1.10.1
v1.11.0
v1.12.0
v1.12.1
v1.13.0
v1.13.1
v1.14.0
v1.14.1
v1.14.2
v1.14.3
v1.14.4
v2.*
v2.0.0
v2.0.1
v2.1.0
v2.2.0
v2.2.1
v2.3.0
v2.3.1
v2.3.2
v2.3.3
v2.4.0
v2.4.1
v2.4.2
v2.4.3
v2.4.4
v2.4.6
v2.4.7
v2.5.0
v2.5.2
v2.5.3
v2.5.4
v2.5.5
v2.5.6
v2.5.7
v2.6.0
v2.6.1
v2.6.2
2.*
2.4.5
2.5.1
v3.*
v3.0.0
v3.0.1
v3.0.2
v3.0.3
v3.1.0
v3.1.1
v3.2.0
v3.2.1
v3.2.2
v3.2.3
v3.2.4
v3.2.5
v3.2.6
v3.2.7
v3.2.8
v3.2.9
v3.2.10
v3.2.11
v3.2.12
v3.2.13
v3.2.14
v3.3.0
v3.3.1
v3.3.2
v3.3.3
v3.3.4
v3.3.5
v3.3.6
v3.3.7
v3.3.8
v3.3.9