GHSA-8vp7-j5cj-vvm2

Source

https://github.com/advisories/GHSA-8vp7-j5cj-vvm2

Import Source

https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2020/01/GHSA-8vp7-j5cj-vvm2/GHSA-8vp7-j5cj-vvm2.json

JSON Data

https://api.osv.dev/v1/vulns/GHSA-8vp7-j5cj-vvm2

Aliases

Published

2020-01-31T18:00:43Z

Modified

2024-02-16T08:01:11.992245Z

Severity

4.4 (Medium) CVSS_V3 - CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:C/C:L/I:L/A:N CVSS Calculator

Summary

Ability to expose data in Sylius by using an unintended serialisation group

Details

Impact

ResourceBundle accepts and uses any serialisation groups to be passed via a HTTP header. This might lead to data exposure by using an unintended serialisation group - for example it could make Shop API use a more permissive group from Admin API.

Anyone exposing an API with ResourceBundle's controller is affected. The vulnerable versions are: <1.3 || >=1.3.0 <=1.3.12 || >=1.4.0 <=1.4.5 || >=1.5.0 <=1.5.0 || >=1.6.0 <=1.6.2.

Patches

The patch is provided for ResourceBundle 1.3.13, 1.4.6, 1.5.1 and 1.6.3, but not for any versions below 1.3.

After it is applied, It allows to choose only the groups that are defined in serialization_groups or allowed_serialization_groups route definition. Any group not defined in those will not be used.

This behaviour might be a BC break for those using custom groups via the HTTP header, please adjust allowed_serialization_groups accordingly.

Workarounds

Service sylius.resource_controller.request_configuration_factory can be overridden with an implementation copied from \Sylius\Bundle\ResourceBundle\Controller\RequestConfigurationFactory where the part that handles custom serialisation groups is deleted.

Database specific

{
    "nvd_published_at": "2020-01-27T21:15:11Z",
    "cwe_ids": [
        "CWE-200",
        "CWE-444"
    ],
    "severity": "MODERATE",
    "github_reviewed": true,
    "github_reviewed_at": "2020-01-27T20:11:32Z"
}

References

Affected packages

Packagist / sylius/resource-bundle

Package

Name: sylius/resource-bundle
Purl: pkg:composer/sylius/resource-bundle

Affected ranges

Type: ECOSYSTEM
Events: Introduced

1.4.0

Fixed

1.4.6

Affected versions

v1.*

v1.4.0

v1.4.1

v1.4.2

v1.4.3

v1.4.4

v1.4.5

Packagist / sylius/resource-bundle

Package

Name: sylius/resource-bundle
Purl: pkg:composer/sylius/resource-bundle

Affected ranges

Type: ECOSYSTEM
Events: Introduced

1.5.0

Fixed

1.5.1

Affected versions

v1.*

v1.5.0

Packagist / sylius/resource-bundle

Package

Name: sylius/resource-bundle
Purl: pkg:composer/sylius/resource-bundle

Affected ranges

Type: ECOSYSTEM
Events: Introduced

1.6.0

Fixed

1.6.3

Affected versions

v1.*

v1.6.0

v1.6.1

v1.6.2

Packagist / sylius/sylius

Package

Name: sylius/sylius
Purl: pkg:composer/sylius/sylius

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0Unknown introduced version / All previous versions are affected

Fixed

1.3.12

Affected versions

v0.*

v0.1.0

v0.2.0

v0.3.0

v0.5.0

v0.6.0

v0.7.0

v0.8.0

v0.9.0

v0.10.0

v0.11.0

v0.12.0

v0.13.0

v0.14.0

v0.15.0

v0.16.0

v0.17.0

v0.18.0

v0.19.0

v1.*

v1.0.0-alpha.1

v1.0.0-alpha.2

v1.0.0-beta.1

v1.0.0-beta.2

v1.0.0-beta.3

v1.0.0-rc.1

v1.0.0-rc.2

v1.0.0

v1.0.1

v1.0.2

v1.0.3

v1.0.4

v1.0.5

v1.0.6

v1.0.7

v1.0.8

v1.0.9

v1.0.10

v1.0.11

v1.0.12

v1.0.13

v1.0.14

v1.0.15

v1.0.16

v1.0.17

v1.0.18

v1.1.0-RC

v1.1.0

v1.1.1

v1.1.2

v1.1.3

v1.1.4

v1.1.5

v1.1.6

v1.1.7

v1.1.8

v1.1.9

v1.1.10

v1.1.11

v1.1.12

v1.1.13

v1.1.14

v1.1.15

v1.1.16

v1.1.17

v1.1.18

v1.2.0-BETA

v1.2.0-RC

v1.2.0

v1.2.1

v1.2.2

v1.2.3

v1.2.4

v1.2.5

v1.2.6

v1.2.7

v1.2.8

v1.2.9

v1.2.10

v1.2.11

v1.2.12

v1.2.13

v1.2.14

v1.2.15

v1.2.16

v1.2.17

v1.3.0-BETA

v1.3.0

v1.3.1

v1.3.2

v1.3.3

v1.3.4

v1.3.5

v1.3.6

v1.3.7

v1.3.8

v1.3.9

v1.3.10

v1.3.11

Packagist / sylius/sylius

Package

Name: sylius/sylius
Purl: pkg:composer/sylius/sylius

Affected ranges

Type: ECOSYSTEM
Events: Introduced

1.4.0

Fixed

1.4.4

Affected versions

v1.*

v1.4.0

v1.4.1

v1.4.2

v1.4.3

Packagist / sylius/resource-bundle

Package

Name: sylius/resource-bundle
Purl: pkg:composer/sylius/resource-bundle

Affected ranges

Type: ECOSYSTEM
Events: Introduced

1.0.0

Fixed

1.3.13

Affected versions

v1.*

v1.0.0

v1.0.1

v1.0.2

v1.0.3

v1.0.4

v1.0.5

v1.0.6

v1.0.7

v1.0.8

v1.0.9

v1.0.10

v1.0.11

v1.0.12

v1.0.13

v1.0.14

v1.0.15

v1.0.16

v1.0.17

v1.0.18

v1.1.0-RC

v1.1.0

v1.1.1

v1.1.2

v1.1.3

v1.1.4

v1.1.5

v1.1.6

v1.1.7

v1.1.8

v1.1.9

v1.1.10

v1.1.11

v1.1.12

v1.1.13

v1.1.14

v1.1.15

v1.1.17

v1.1.18

v1.2.0-BETA

v1.2.0-RC

v1.2.0

v1.2.1

v1.2.2

v1.2.3

v1.2.4

v1.2.5

v1.2.6

v1.2.7

v1.2.8

v1.2.9

v1.2.10

v1.2.11

v1.2.12

v1.2.13

v1.2.14

v1.2.15

v1.2.16

v1.2.17

v1.3.0-BETA

v1.3.0

v1.3.1

v1.3.2

v1.3.3

v1.3.4

v1.3.5

v1.3.6

v1.3.7

v1.3.8

v1.3.9

v1.3.10

v1.3.11

v1.3.12