Data

Tools

Indexes

Applications

Experiments

Advisories

An open API service providing security vulnerability metadata for many open source software ecosystems.

MDE2OlNlY3VyaXR5QWR2aXNvcnlHSFNBLTY5OXEtd2NmZi1nOW1q

High EPSS: 0.917% (0.99655 Percentile) EPSS:
Permalink JSON

Unsafe deserialization in Yii 2

Affected Packages Affected Versions Fixed Versions
packagist:yiisoft/yii2 < 2.0.38 2.0.38
9,497 Dependent packages
33,911 Dependent repositories
26,366,550 Downloads total

Affected Version Ranges

All affected versions

2.0.0, 2.0.1, 2.0.2, 2.0.3, 2.0.4, 2.0.5, 2.0.6, 2.0.7, 2.0.8, 2.0.9, 2.0.10, 2.0.11, 2.0.12, 2.0.13, 2.0.14, 2.0.15, 2.0.16, 2.0.17, 2.0.18, 2.0.19, 2.0.20, 2.0.21, 2.0.22, 2.0.23, 2.0.24, 2.0.25, 2.0.26, 2.0.27, 2.0.28, 2.0.29, 2.0.30, 2.0.31, 2.0.32, 2.0.33, 2.0.34, 2.0.35, 2.0.36, 2.0.37

All unaffected versions

2.0.38, 2.0.39, 2.0.40, 2.0.41, 2.0.42, 2.0.43, 2.0.44, 2.0.45, 2.0.46, 2.0.47, 2.0.48, 2.0.49, 2.0.50, 2.0.51, 2.0.52, 2.0.53

Impact

Remote code execution in case application calls unserialize() on user input containing specially crafted string.

Patches

2.0.38

Workarounds

Add the following to BatchQueryResult.php:

public function __sleep()
{
    throw new \BadMethodCallException('Cannot serialize '.__CLASS__);
}

public function __wakeup()
{
    throw new \BadMethodCallException('Cannot unserialize '.__CLASS__);
}

For more information

If you have any questions or comments about this advisory, contact us through security form.

References:

Identifiers

GHSA-699q-wcff-g9mj

CVE-2020-15148

Risk

Severity

High

EPSS

EPSS Percentage: 0.917

EPSS Percentile: 0.99655

Classification

General

Source

GitHub Advisory Database

Origin

Unspecified

Repository

https://github.com/yiisoft/yii2

Date and time

Published

almost 5 years ago

Updated

over 1 year ago

API

JSON