GHSA-7xr2-8ff7-6fjq
Suggest an improvement- Source
- https://github.com/advisories/GHSA-7xr2-8ff7-6fjq
- Import Source
- https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2023/07/GHSA-7xr2-8ff7-6fjq/GHSA-7xr2-8ff7-6fjq.json
- JSON Data
- https://api.osv.dev/v1/vulns/GHSA-7xr2-8ff7-6fjq
- Aliases
- Published
- 2023-07-14T21:59:13Z
- Modified
- 2024-02-16T08:16:34.707047Z
- Severity
-
- 8.5 (High) CVSS_V3 - CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:H CVSS Calculator
- Summary
- zenstruck/collection passing callable string to EntityRepository::find() and query()
- Details
-
Impact
Passing callable strings (ie
system) caused the function to be executed.Patches
Fixed in v0.2.1.
Workarounds
Do not allow passing user strings to
EntityRepository::find()orquery().References
- Database specific
{ "severity": "HIGH", "nvd_published_at": "2023-07-14T21:15:09Z", "github_reviewed_at": "2023-07-14T21:59:13Z", "github_reviewed": true, "cwe_ids": [ "CWE-74" ] }- References
-
- https://github.com/zenstruck/collection/security/advisories/GHSA-7xr2-8ff7-6fjq
- https://nvd.nist.gov/vuln/detail/CVE-2023-37473
- https://github.com/zenstruck/collection/commit/f4b1c488206e1b1581b06fcd331686846f13f19c
- https://github.com/zenstruck/collection
- https://github.com/zenstruck/collection/releases/tag/v0.2.1
Affected packages
Packagist / zenstruck/collection
Package
- Name
- zenstruck/collection
- Purl
- pkg:composer/zenstruck/collection