GHSA-g3p6-82vc-43jh

Source

https://github.com/advisories/GHSA-g3p6-82vc-43jh

Import Source

https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2025/06/GHSA-g3p6-82vc-43jh/GHSA-g3p6-82vc-43jh.json

JSON Data

https://api.osv.dev/v1/vulns/GHSA-g3p6-82vc-43jh

Aliases

CVE-2025-48493

Published

2025-06-05T16:53:23Z

Modified

2025-06-06T16:45:32.687424Z

Severity

5.1 (Medium) CVSS_V4 - CVSS:4.0/AV:N/AC:L/AT:P/PR:H/UI:N/VC:L/VI:L/VA:L/SC:L/SI:L/SA:H CVSS Calculator

Summary

Yii 2 Redis may expose AUTH parameters in logs in case of connection failure

Details

Impact

On failing connection extension writes commands sequence to logs. AUTH parameters are written in plain text exposing username and password. That might be an issue if attacker has access to logs.

Database specific

{
    "nvd_published_at": "2025-06-05T17:15:29Z",
    "severity": "MODERATE",
    "github_reviewed_at": "2025-06-05T16:53:23Z",
    "github_reviewed": true,
    "cwe_ids": [
        "CWE-532"
    ]
}

References

Affected packages

Packagist / yiisoft/yii2-redis

Package

Name: yiisoft/yii2-redis
Purl: pkg:composer/yiisoft/yii2-redis

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0Unknown introduced version / All previous versions are affected

Fixed

2.0.20

Affected versions

2.*

2.0.0-alpha

2.0.0-beta

2.0.0-rc

2.0.0

2.0.1

2.0.2

2.0.3

2.0.4

2.0.5

2.0.6

2.0.7

2.0.8

2.0.9

2.0.10

2.0.11

2.0.12

2.0.13

2.0.14

2.0.15

2.0.16

2.0.17

2.0.18

2.0.19