Ecosyste.ms: Advisories
An open API service providing security vulnerability metadata for many open source software ecosystems.
Security Advisories: MDE2OlNlY3VyaXR5QWR2aXNvcnlHSFNBLThndjMtM2o3Zi13Zzk0
Potential Remote Code Execution vulnerability
Packages nette/application versions prior to 2.2.10, 2.3.14, 2.4.16, 3.0.6 and nette/nette versions prior to 2.0.19 and 2.1.13 are vulnerable to an code injection attack by passing specially formed parameters to URL that may possibly leading to RCE.
Reported by Cyku Hong from DEVCORE (https://devco.re)
Impact
Code injection, possible remote code execution.
Patches
Fixed in nette/application 2.2.10, 2.3.14, 2.4.16, 3.0.6 and nette/nette 2.0.19 and 2.1.13
Permalink: https://github.com/advisories/GHSA-8gv3-3j7f-wg94JSON: https://advisories.ecosyste.ms/api/v1/advisories/MDE2OlNlY3VyaXR5QWR2aXNvcnlHSFNBLThndjMtM2o3Zi13Zzk0
Source: GitHub Advisory Database
Origin: Unspecified
Severity: High
Classification: General
Published: over 3 years ago
Updated: 3 months ago
CVSS Score: 8.7
CVSS vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:N
Identifiers: GHSA-8gv3-3j7f-wg94, CVE-2020-15227
References:
- https://github.com/nette/application/security/advisories/GHSA-8gv3-3j7f-wg94
- https://packagist.org/packages/nette/application
- https://packagist.org/packages/nette/nette
- https://nvd.nist.gov/vuln/detail/CVE-2020-15227
- https://lists.debian.org/debian-lts-announce/2021/04/msg00003.html
- https://blog.nette.org/en/cve-2020-15227-potential-remote-code-execution-vulnerability
- https://github.com/FriendsOfPHP/security-advisories/blob/master/nette/application/CVE-2020-15227.yaml
- https://github.com/advisories/GHSA-8gv3-3j7f-wg94
Blast Radius: 29.3
Affected Packages
packagist:nette/application
Dependent packages: 954Dependent repositories: 2,335
Downloads: 9,405,742 total
Affected Version Ranges: >= 2.1.0, < 2.1.13, >= 2.0.0, < 2.0.19, >= 3.0.0, < 3.0.6, >= 2.4.0, < 2.4.16, >= 2.3.0, < 2.3.14, >= 2.2.0, < 2.2.10
Fixed in: 2.1.13, 2.0.19, 3.0.6, 2.4.16, 2.3.14, 2.2.10
All affected versions: 2.2.0, 2.2.1, 2.2.2, 2.2.3, 2.2.4, 2.2.5, 2.2.6, 2.2.7, 2.2.8, 2.2.9, 2.3.0, 2.3.1, 2.3.2, 2.3.3, 2.3.4, 2.3.5, 2.3.6, 2.3.7, 2.3.8, 2.3.9, 2.3.10, 2.3.11, 2.3.12, 2.3.13, 2.4.0, 2.4.1, 2.4.2, 2.4.3, 2.4.4, 2.4.5, 2.4.6, 2.4.7, 2.4.8, 2.4.9, 2.4.10, 2.4.11, 2.4.12, 2.4.13, 2.4.14, 2.4.15, 3.0.0, 3.0.1, 3.0.2, 3.0.3, 3.0.4, 3.0.5
All unaffected versions: 2.2.10, 2.3.14, 2.4.16, 2.4.17, 3.0.6, 3.0.7, 3.0.8, 3.1.0, 3.1.1, 3.1.2, 3.1.3, 3.1.4, 3.1.5, 3.1.6, 3.1.7, 3.1.8, 3.1.9, 3.1.10, 3.1.11, 3.1.12, 3.1.13, 3.1.14, 3.2.0, 3.2.1, 3.2.2, 3.2.3