GHSA-8gv3-3j7f-wg94

Source

https://github.com/advisories/GHSA-8gv3-3j7f-wg94

Import Source

https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2020/10/GHSA-8gv3-3j7f-wg94/GHSA-8gv3-3j7f-wg94.json

JSON Data

https://api.osv.dev/v1/vulns/GHSA-8gv3-3j7f-wg94

Aliases

CVE-2020-15227

Published

2020-10-02T16:22:19Z

Modified

2024-02-16T08:20:10.160691Z

Severity

8.7 (High) CVSS_V3 - CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:N CVSS Calculator

Summary

Potential Remote Code Execution vulnerability

Details

Packages nette/application versions prior to 2.2.10, 2.3.14, 2.4.16, 3.0.6 and nette/nette versions prior to 2.0.19 and 2.1.13 are vulnerable to an code injection attack by passing specially formed parameters to URL that may possibly leading to RCE.

Reported by Cyku Hong from DEVCORE (https://devco.re)

Impact

Code injection, possible remote code execution.

Patches

Fixed in nette/application 2.2.10, 2.3.14, 2.4.16, 3.0.6 and nette/nette 2.0.19 and 2.1.13

Database specific

{
    "nvd_published_at": "2020-10-01T19:15:00Z",
    "cwe_ids": [
        "CWE-74",
        "CWE-94"
    ],
    "severity": "HIGH",
    "github_reviewed": true,
    "github_reviewed_at": "2020-10-01T19:00:48Z"
}

References

Affected packages

Packagist / nette/application

Package

Name: nette/application
Purl: pkg:composer/nette/application

Affected ranges

Type: ECOSYSTEM
Events: Introduced

2.2.0

Fixed

2.2.10

Affected versions

v2.*

v2.2.0

v2.2.1

v2.2.2

v2.2.3

v2.2.4

v2.2.5

v2.2.6

v2.2.7

v2.2.8

v2.2.9

Packagist / nette/application

Package

Name: nette/application
Purl: pkg:composer/nette/application

Affected ranges

Type: ECOSYSTEM
Events: Introduced

2.3.0

Fixed

2.3.14

Affected versions

v2.*

v2.3.0

v2.3.1

v2.3.2

v2.3.3

v2.3.4

v2.3.5

v2.3.6

v2.3.7

v2.3.8

v2.3.9

v2.3.10

v2.3.11

v2.3.12

v2.3.13

Packagist / nette/application

Package

Name: nette/application
Purl: pkg:composer/nette/application

Affected ranges

Type: ECOSYSTEM
Events: Introduced

2.4.0

Fixed

2.4.16

Affected versions

v2.*

v2.4.0

v2.4.1

v2.4.2

v2.4.3

v2.4.4

v2.4.5

v2.4.6

v2.4.7

v2.4.8

v2.4.9

v2.4.10

v2.4.11

v2.4.12

v2.4.13

v2.4.14

v2.4.15

Packagist / nette/application

Package

Name: nette/application
Purl: pkg:composer/nette/application

Affected ranges

Type: ECOSYSTEM
Events: Introduced

3.0.0

Fixed

3.0.6

Affected versions

v3.*

v3.0.0

v3.0.1

v3.0.2

v3.0.2.1

v3.0.3

v3.0.4

v3.0.5

Packagist / nette/application

Package

Name: nette/application
Purl: pkg:composer/nette/application

Affected ranges

Type: ECOSYSTEM
Events: Introduced

2.0.0

Fixed

2.0.19

Packagist / nette/application

Package

Name: nette/application
Purl: pkg:composer/nette/application

Affected ranges

Type: ECOSYSTEM
Events: Introduced

2.1.0

Fixed

2.1.13