GHSA-mw2w-2hj2-fg8q

Suggest an improvement
Source
https://github.com/advisories/GHSA-mw2w-2hj2-fg8q
Import Source
https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2023/11/GHSA-mw2w-2hj2-fg8q/GHSA-mw2w-2hj2-fg8q.json
JSON Data
https://api.osv.dev/v1/vulns/GHSA-mw2w-2hj2-fg8q
Aliases
Published
2023-11-14T22:19:28Z
Modified
2024-02-16T08:19:54.325789Z
Severity
  • CVSS_V3 - CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H
Summary
yiisoft/yii deserializing untrusted user input can lead to remote code execution
Details

Impact

Affected versions of yiisoft/yii are vulnerable to Remote Code Execution (RCE) if the application calls unserialize() on arbitrary user input.

Patches

Upgrade yiisoft/yii to version 1.1.29 or higher.

For more information

See the following links for more details: - Git commit - https://owasp.org/www-community/vulnerabilities/PHPObjectInjection

If you have any questions or comments about this advisory, contact us through security form.

References

Affected packages

Packagist / yiisoft/yii

Package

Name
yiisoft/yii
Purl
pkg:composer/yiisoft/yii

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0The exact introduced commit is unknown
Fixed
1.1.29

Affected versions

1.*

1.1.14-rc
1.1.14
1.1.15
1.1.16
1.1.17
1.1.18
1.1.19
1.1.20
1.1.21
1.1.22
1.1.23
1.1.24
1.1.25
1.1.26
1.1.27
1.1.28