Headline
CVE-2022-41922: Prevent RCE when deserializing untrusted user input
yiisoft/yii before version 1.1.27 are vulnerable to Remote Code Execution (RCE) if the application calls unserialize() on arbitrary user input. This has been patched in 1.1.27.
High
samdark published GHSA-442f-wcwq-fpcf
Nov 21, 2022
Package
composer yiisoft/yii (Composer)
Affected versions
<1.1.27
Patched versions
1.1.27
Description
Impact
Affected versions of yiisoft/yii are vulnerable to Remote Code Execution (RCE) if the application calls unserialize() on arbitrary user input.
Patches
Upgrade yiisoft/yii to version 1.1.27 or higher.
For more information
See the following links for more details:
- Git commit
- https://owasp.org/www-community/vulnerabilities/PHP_Object_Injection
If you have any questions or comments about this advisory, contact us through security form.
Severity
High
8.1
/ 10
CVSS base metrics
Attack vector
Network
Attack complexity
High
Privileges required
None
User interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
High
CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H
CVE ID
CVE-2022-41922
Weaknesses
CWE-502
Credits
- fi3wey
Related news
### Impact Affected versions of `yiisoft/yii` are vulnerable to Remote Code Execution (RCE) if the application calls `unserialize()` on arbitrary user input. ### Patches Upgrade `yiisoft/yii` to version 1.1.27 or higher. ### For more information See the following links for more details: - [Git commit](https://github.com/yiisoft/yii/commit/ed67b7cc57216557c5c595c6650cdd2d3aa41c52) - https://owasp.org/www-community/vulnerabilities/PHP_Object_Injection If you have any questions or comments about this advisory, [contact us through security form](https://www.yiiframework.com/security).