GHSA-25fx-3c2q-cq46
- Source
- https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2023/05/GHSA-25fx-3c2q-cq46/GHSA-25fx-3c2q-cq46.json
- Aliases
-
- CVE-2023-2756
- Published
- 2023-05-17T15:48:04Z
- Modified
- 2023-05-25T21:47:13.112176Z
- Details
-
Impact
An administrator user can use the inheritable segments feature to execute his own blind SQL queries.
A user with administrator privileges can run any SQL query on database. This can be used to retrieve sensitive data, change database information or any other malicious activity against the database.
Patches
Update to version 3.3.10 or apply this patch manually https://github.com/pimcore/customer-data-framework/commit/76df151737b7964ce5169fdf9e27a0ad801757fe.patch
Workarounds
Apply https://github.com/pimcore/customer-data-framework/commit/76df151737b7964ce5169fdf9e27a0ad801757fe.patch manually.
References
https://huntr.dev/bounties/cf398528-819f-456e-88e7-c06d268d3f44/
- References
-
- https://github.com/pimcore/customer-data-framework/security/advisories/GHSA-25fx-3c2q-cq46
- https://nvd.nist.gov/vuln/detail/CVE-2023-2756
- https://github.com/pimcore/customer-data-framework/commit/76df151737b7964ce5169fdf9e27a0ad801757fe
- https://github.com/pimcore/customer-data-framework
- https://huntr.dev/bounties/cf398528-819f-456e-88e7-c06d268d3f44
Affected packages
Packagist / pimcore/customer-management-framework-bundle
pimcore/customer-management-framework-bundle
Affected versions
1.*
1.0.0
1.0.1
1.3.17
2.*
2.4.5
2.5.1
v1.*
v1.1.0
v1.1.1
v1.10.0
v1.10.1
v1.11.0
v1.12.0
v1.12.1
v1.13.0
v1.13.1
v1.14.0
v1.14.1
v1.14.2
v1.14.3
v1.14.4
v1.2.0
v1.2.1
v1.2.2
v1.2.3
v1.2.4
v1.2.5
v1.2.6
v1.3.0
v1.3.1
v1.3.10
v1.3.11
v1.3.12
v1.3.13
v1.3.14
v1.3.15
v1.3.16
v1.3.18
v1.3.19
v1.3.2
v1.3.20
v1.3.21
v1.3.3
v1.3.4
v1.3.5
v1.3.6
v1.3.7
v1.3.8
v1.3.9
v1.4.0
v1.4.1
v1.4.10
v1.4.11
v1.4.12
v1.4.2
v1.4.3
v1.4.4
v1.4.5
v1.4.6
v1.4.7
v1.4.8
v1.4.9
v1.5.0
v1.5.1
v1.5.2
v1.5.3
v1.5.4
v1.5.5
v1.6
v1.6.1
v1.6.2
v1.6.3
v1.6.4
v1.6.5
v1.6.6
v1.6.7
v1.7.0
v1.7.1
v1.7.2
v1.7.3
v1.7.4
v1.8.0
v1.9.0
v1.9.1
v2.*
v2.0.0
v2.0.1
v2.1.0
v2.2.0
v2.2.1
v2.3.0
v2.3.1
v2.3.2
v2.3.3
v2.4.0
v2.4.1
v2.4.2
v2.4.3
v2.4.4
v2.4.6
v2.4.7
v2.5.0
v2.5.2
v2.5.3
v2.5.4
v2.5.5
v2.5.6
v2.5.7
v2.6.0
v2.6.1
v2.6.2
v3.*
v3.0.0
v3.0.1
v3.0.2
v3.0.3
v3.1.0
v3.1.1
v3.2.0
v3.2.1
v3.2.10
v3.2.11
v3.2.12
v3.2.13
v3.2.14
v3.2.2
v3.2.3
v3.2.4
v3.2.5
v3.2.6
v3.2.7
v3.2.8
v3.2.9
v3.3.0
v3.3.1
v3.3.2
v3.3.3
v3.3.4
v3.3.5
v3.3.6
v3.3.7
v3.3.8
v3.3.9