Headline
GHSA-442f-wcwq-fpcf: Prevent RCE when deserializing untrusted user input
Impact
Affected versions of yiisoft/yii are vulnerable to Remote Code Execution (RCE) if the application calls unserialize() on arbitrary user input.
Patches
Upgrade yiisoft/yii to version 1.1.27 or higher.
For more information
See the following links for more details:
- Git commit
- https://owasp.org/www-community/vulnerabilities/PHP_Object_Injection
If you have any questions or comments about this advisory, contact us through security form.
Prevent RCE when deserializing untrusted user input
High severity GitHub Reviewed Published Nov 21, 2022 in yiisoft/yii • Updated Nov 21, 2022
Package
composer yiisoft/yii (Composer)
Affected versions
< 1.1.27
Patched versions
1.1.27
Description
Impact
Affected versions of yiisoft/yii are vulnerable to Remote Code Execution (RCE) if the application calls unserialize() on arbitrary user input.
Patches
Upgrade yiisoft/yii to version 1.1.27 or higher.
For more information
See the following links for more details:
- Git commit
- https://owasp.org/www-community/vulnerabilities/PHP_Object_Injection
If you have any questions or comments about this advisory, contact us through security form.
References
- GHSA-442f-wcwq-fpcf
samdark published the maintainer security advisory
Nov 21, 2022
Severity
High
8.1
/ 10
CVSS base metrics
Attack vector
Network
Attack complexity
High
Privileges required
None
User interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
High
CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H
Weaknesses
No CWEs
CVE ID
CVE-2022-41922
GHSA ID
GHSA-442f-wcwq-fpcf
Source code
yiisoft/yii
Checking history
See something to contribute? Suggest improvements for this vulnerability.
Related news
`yiisoft/yii` before version 1.1.27 are vulnerable to Remote Code Execution (RCE) if the application calls `unserialize()` on arbitrary user input. This has been patched in 1.1.27.