GHSA-qhjc-hg94-245v

Source

https://github.com/advisories/GHSA-qhjc-hg94-245v

Import Source

https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2024/05/GHSA-qhjc-hg94-245v/GHSA-qhjc-hg94-245v.json

JSON Data

https://api.osv.dev/v1/vulns/GHSA-qhjc-hg94-245v

Published

2024-05-15T21:18:20Z

Modified

2024-11-29T05:33:59.442523Z

Summary

eZ Platform Prevent accepting app.php in URL in Platform.sh

Details

The recommended rewrite rules in eZ Platform prevent users from including the front-controller script (normally "app.php") in URLs. This prevents certain vulnerabilities related to caching. However, this is not possible when using eZ Platform Cloud (i.e. running eZ Platform on the Platform.sh cloud service), nor can it be done within the .platform.app.yaml configuration file. Therefore we need to reject such requests in the application itself. This advisory adds the prevention within the front controller script itself.

If you use eZ Platform Cloud / Platform.sh we recommend that you install this security update as soon as possible. It is distributed via Composer as ezsystems/ezplatform 1.7.9.1, and 1.13.5.1, and 2.5.4. This is the commit: https://github.com/ezsystems/ezplatform/commit/34ce86722b36a172e587068fe64a84faa7320cc2

Database specific

{
    "nvd_published_at": null,
    "cwe_ids": [],
    "severity": "MODERATE",
    "github_reviewed": true,
    "github_reviewed_at": "2024-05-15T21:18:20Z"
}

References

Affected packages

Packagist / ezsystems/ezplatform

Package

Name: ezsystems/ezplatform
Purl: pkg:composer/ezsystems/ezplatform

Affected ranges

Type: ECOSYSTEM
Events: Introduced

2.5.0

Fixed

2.5.4

Affected versions

v2.*

v2.5.0

v2.5.1

v2.5.2

v2.5.3

Packagist / ezsystems/ezplatform

Package

Name: ezsystems/ezplatform
Purl: pkg:composer/ezsystems/ezplatform

Affected ranges

Type: ECOSYSTEM
Events: Introduced

1.13.0

Fixed

1.13.5.1

Affected versions

v1.*

v1.13.0

v1.13.1-rc1

v1.13.1

v1.13.1.1

v1.13.2-rc1

v1.13.2

v1.13.3-rc1

v1.13.3

v1.13.4-beta1

v1.13.4-rc1

v1.13.4-rc2

v1.13.4

v1.13.4.1

v1.13.5-rc1

v1.13.5-rc2

v1.13.5

Packagist / ezsystems/ezplatform

Package

Name: ezsystems/ezplatform
Purl: pkg:composer/ezsystems/ezplatform

Affected ranges

Type: ECOSYSTEM
Events: Introduced

1.7.0

Fixed

1.7.9.1

Affected versions

v1.*

v1.7.0

v1.7.1-rc1

v1.7.2-rc1

v1.7.2-rc2

v1.7.2

v1.7.3-rc1

v1.7.3-rc2

v1.7.3

v1.7.4-rc1

v1.7.4

v1.7.5-rc1

v1.7.5-rc2

v1.7.5

v1.7.6-rc1

v1.7.6

v1.7.7-rc1

v1.7.7-rc2

v1.7.7

v1.7.8-rc1

v1.7.8-rc2

v1.7.8

v1.7.8.1

v1.7.9-rc1

v1.7.9