CVE-2020-15148 (High) detected in yiisoft/yii2-2.0.35

Question

CVE-2020-15148 (High) detected in yiisoft/yii2-2.0.35

mend-bolt-for-github opened this issue 4 years ago · 1 comments

mend-bolt-for-github commented 4 years ago

CVE-2020-15148 - High Severity Vulnerability

Vulnerable Library - yiisoft/yii2-2.0.35

Yii PHP Framework Version 2

Library home page: https://api.github.com/repos/yiisoft/yii2-framework/zipball/d42809e4969cdc0adb97197ba32774b3e4cd9e8e

Dependency Hierarchy:

yiisoft/yii2-gii-2.2.1 (Root Library)
- ❌ yiisoft/yii2-2.0.35 (Vulnerable Library)

Found in HEAD commit: 748afcb37dc025e23b4c1b7dde491da906d98395

Vulnerability Details

Yii 2 (yiisoft/yii2) before version 2.0.38 is vulnerable to remote code execution if the application calls unserialize() on arbitrary user input. This is fixed in version 2.0.38. A possible workaround without upgrading is available in the linked advisory.

Publish Date: 2020-09-15

URL: CVE-2020-15148

CVSS 3 Score Details (10.0)

Base Score Metrics:

Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Changed
Impact Metrics:
- Confidentiality Impact: High
- Integrity Impact: High
- Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://lists.x.org/archives/xorg-announce/2020-August/003058.html

Release Date: 2020-07-21

Fix Resolution: 2.0.38

Step up your Open Source Security Game with WhiteSource here