GHSA-699q-wcff-g9mj

Source

https://github.com/advisories/GHSA-699q-wcff-g9mj

Import Source

https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2020/09/GHSA-699q-wcff-g9mj/GHSA-699q-wcff-g9mj.json

JSON Data

https://api.osv.dev/v1/vulns/GHSA-699q-wcff-g9mj

Aliases

CVE-2020-15148

Published

2020-09-15T18:19:56Z

Modified

2024-02-16T08:13:00.680042Z

Severity

8.9 (High) CVSS_V3 - CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:L/I:H/A:H CVSS Calculator

Summary

Unsafe deserialization in Yii 2

Details

Impact

Remote code execution in case application calls unserialize() on user input containing specially crafted string.

Patches

2.0.38

Workarounds

Add the following to BatchQueryResult.php:

public function __sleep()
{
    throw new \BadMethodCallException('Cannot serialize '.__CLASS__);
}

public function __wakeup()
{
    throw new \BadMethodCallException('Cannot unserialize '.__CLASS__);
}

For more information

If you have any questions or comments about this advisory, contact us through security form.

Database specific

{
    "nvd_published_at": null,
    "cwe_ids": [
        "CWE-502"
    ],
    "severity": "HIGH",
    "github_reviewed": true,
    "github_reviewed_at": "2020-09-15T18:19:44Z"
}

References

Affected packages

Packagist / yiisoft/yii2

Package

Name: yiisoft/yii2
Purl: pkg:composer/yiisoft/yii2

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0Unknown introduced version / All previous versions are affected

Fixed

2.0.38

Affected versions

2.*

2.0.0-alpha

2.0.0-beta

2.0.0-rc

2.0.0

2.0.1

2.0.2

2.0.3

2.0.4

2.0.5

2.0.6

2.0.7

2.0.8

2.0.9

2.0.10

2.0.11

2.0.11.1

2.0.11.2

2.0.12

2.0.12.1

2.0.12.2

2.0.13

2.0.13.1

2.0.13.2

2.0.13.3

2.0.14

2.0.14.1

2.0.14.2

2.0.15

2.0.15.1

2.0.16

2.0.16.1

2.0.17

2.0.18

2.0.19

2.0.20

2.0.21

2.0.22

2.0.23

2.0.24

2.0.25

2.0.26

2.0.27

2.0.28

2.0.29

2.0.30

2.0.31

2.0.32

2.0.33

2.0.34

2.0.35

2.0.36

2.0.37