Ecosyste.ms: Advisories
An open API service providing security vulnerability metadata for many open source software ecosystems.
Security Advisories: GSA_kwCzR0hTQS00Z2pqLXI3dzgtNDJjcc4AASjv
Jerome Gamez Firebase Admin SDK for PHP Incorrect Access Control vulnerability
Jerome Gamez Firebase Admin SDK for PHP version from 3.2.0 to 3.8.0 contains a Incorrect Access Control vulnerability in src/Firebase/Auth/IdTokenVerifier.php
does not verify for token signature that can result in JWT with any email address and user ID could be forged from an actual token, or from thin air. This attack appear to be exploitable via Attacker would only need to know email address of the victim on most cases.. This vulnerability appears to have been fixed in 3.8.1.
JSON: https://advisories.ecosyste.ms/api/v1/advisories/GSA_kwCzR0hTQS00Z2pqLXI3dzgtNDJjcc4AASjv
Source: GitHub Advisory Database
Origin: Unspecified
Severity: High
Classification: General
Published: about 2 years ago
Updated: 25 days ago
CVSS Score: 8.1
CVSS vector: CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H
Identifiers: GHSA-4gjj-r7w8-42cq, CVE-2018-1000025
References:
- https://nvd.nist.gov/vuln/detail/CVE-2018-1000025
- https://github.com/kreait/firebase-php/pull/151
- https://github.com/kreait/firebase-php/releases/tag/3.8.1
- https://github.com/FriendsOfPHP/security-advisories/blob/master/kreait/firebase-php/CVE-2018-1000025.yaml
- https://github.com/advisories/GHSA-4gjj-r7w8-42cq
Blast Radius: 25.9
Affected Packages
packagist:kreait/firebase-php
Dependent packages: 69Dependent repositories: 1,574
Downloads: 18,968,090 total
Affected Version Ranges: >= 3.2.0, < 3.8.1
Fixed in: 3.8.1
All affected versions: 3.2.0, 3.2.1, 3.3.0, 3.3.1, 3.3.2, 3.3.3, 3.4.0, 3.4.1, 3.4.2, 3.5.0, 3.6.0, 3.7.0, 3.7.1, 3.8.0
All unaffected versions: 0.1.1, 0.2.1, 0.2.2, 0.2.3, 0.2.4, 0.3.1, 0.4.0, 0.4.1, 0.4.2, 0.6.1, 0.6.2, 0.9.1, 0.10.0, 0.10.1, 0.10.2, 1.0.1, 1.1.1, 1.2.1, 1.2.2, 2.0.0, 2.0.1, 2.0.2, 2.1.0, 2.1.1, 2.1.2, 2.1.3, 2.2.0, 2.3.0, 2.3.1, 3.0.0, 3.0.1, 3.0.2, 3.1.0, 3.1.1, 3.1.2, 3.8.1, 3.8.2, 3.9.0, 3.9.1, 3.9.2, 3.9.3, 4.0.0, 4.0.1, 4.0.2, 4.1.0, 4.1.1, 4.1.2, 4.2.0, 4.2.1, 4.2.2, 4.2.3, 4.3.0, 4.4.0, 4.5.0, 4.6.0, 4.7.0, 4.7.1, 4.8.0, 4.9.0, 4.10.0, 4.10.1, 4.11.0, 4.12.0, 4.12.1, 4.13.0, 4.13.1, 4.13.2, 4.13.3, 4.14.0, 4.15.0, 4.15.1, 4.16.0, 4.17.0, 4.17.1, 4.18.0, 4.18.1, 4.18.2, 4.19.0, 4.19.1, 4.20.0, 4.20.1, 4.21.0, 4.21.1, 4.22.0, 4.23.0, 4.24.0, 4.25.0, 4.26.0, 4.27.0, 4.28.0, 4.29.0, 4.30.0, 4.30.1, 4.31.0, 4.32.0, 4.33.0, 4.34.0, 4.35.0, 4.35.1, 4.36.0, 4.36.1, 4.36.2, 4.37.0, 4.38.0, 4.38.1, 4.39.0, 4.39.1, 4.39.2, 4.40.0, 4.40.1, 4.41.0, 4.42.0, 4.42.1, 4.43.0, 4.44.0, 5.0.0, 5.1.0, 5.1.1, 5.2.0, 5.3.0, 5.4.0, 5.5.0, 5.6.0, 5.7.0, 5.8.0, 5.8.1, 5.9.0, 5.10.0, 5.11.0, 5.12.0, 5.13.0, 5.14.0, 5.14.1, 5.15.0, 5.16.0, 5.17.0, 5.17.1, 5.18.0, 5.19.0, 5.20.0, 5.20.1, 5.21.0, 5.22.0, 5.23.0, 5.24.0, 5.25.0, 5.26.0, 5.26.1, 5.26.2, 5.26.3, 5.26.4, 5.26.5, 6.0.0, 6.0.1, 6.1.0, 6.2.0, 6.3.0, 6.3.1, 6.4.0, 6.4.1, 6.5.0, 6.5.1, 6.6.0, 6.6.1, 6.7.0, 6.7.1, 6.8.0, 6.9.0, 6.9.1, 6.9.2, 6.9.3, 6.9.4, 6.9.5, 6.9.6, 7.0.0, 7.0.1, 7.0.2, 7.0.3, 7.1.0, 7.2.0, 7.2.1, 7.3.0, 7.3.1, 7.4.0, 7.5.0, 7.5.1, 7.5.2, 7.6.0, 7.7.0, 7.8.0, 7.9.0, 7.9.1, 7.10.0