GHSA-3q5x-7mxp-rp6j

Source

https://github.com/advisories/GHSA-3q5x-7mxp-rp6j

Import Source

https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2019/11/GHSA-3q5x-7mxp-rp6j/GHSA-3q5x-7mxp-rp6j.json

JSON Data

https://api.osv.dev/v1/vulns/GHSA-3q5x-7mxp-rp6j

Aliases

CVE-2019-8135

Published

2019-11-12T22:59:32Z

Modified

2024-02-16T08:03:28.691308Z

Severity

9.8 (Critical) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H CVSS Calculator

Summary

Remote code execution via vulnerable Symphony dependecy injection

Details

A remote code execution vulnerability exists in Magento 2.2 prior to 2.2.10, Magento 2.3 prior to 2.3.3 or 2.3.2-p1. Dependency injection through Symphony framework allows service identifiers to be derived from user controlled data, which can lead to remote code execution. As per the Magento Release 2.3.3, if you have already implemented the pre-release version of this patch (2.3.2-p1), it is highly recommended to promptly upgrade to 2.3.2-p2.

Database specific

{
    "nvd_published_at": null,
    "cwe_ids": [
        "CWE-74"
    ],
    "severity": "CRITICAL",
    "github_reviewed": true,
    "github_reviewed_at": "2019-11-12T22:13:36Z"
}

References

Affected packages

Packagist / magento/community-edition

Package

Name: magento/community-edition
Purl: pkg:composer/magento/community-edition

Affected ranges

Type: ECOSYSTEM
Events: Introduced

2.2

Fixed

2.2.10

Affected versions

2.*

2.2.0

2.2.1

2.2.2

2.2.3

2.2.4

2.2.5

2.2.6

2.2.7

2.2.8

2.2.9

Packagist / magento/community-edition

Package

Name: magento/community-edition
Purl: pkg:composer/magento/community-edition

Affected ranges

Type: ECOSYSTEM
Events: Introduced

2.3

Fixed

2.3.2-p2

Affected versions

2.*

2.3.0

2.3.1

2.3.2