Ecosyste.ms: Advisories

Security Advisories: MDE2OlNlY3VyaXR5QWR2aXNvcnlHSFNBLW00OTYteDU2Ny1mOThj

Fixes a bug in Zend Framework's Stream HTTP Wrapper

Impact

CVE-2021-3007: Backport of Zend_Http_Response_Stream, added certain type checking as a way to prevent exploitation. https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-3007

This vulnerability is caused by the unsecured deserialization of an object. In versions higher than Zend Framework 3.0.0, the attacker abuses the Zend3 feature that loads classes from objects in order to upload and execute malicious code in the server. The code can be uploaded using the “callback” parameter, which in this case inserts a malicious code instead of the “callbackOptions” array.

Patches

Has the problem been patched? What versions should users upgrade to?
v20.0.9 v19.4.13

Permalink: https://github.com/advisories/GHSA-m496-x567-f98c
JSON: https://advisories.ecosyste.ms/api/v1/advisories/MDE2OlNlY3VyaXR5QWR2aXNvcnlHSFNBLW00OTYteDU2Ny1mOThj
Source: GitHub Advisory Database
Origin: Unspecified
Severity: Critical
Classification: General
Published: almost 3 years ago
Updated: about 1 year ago

CVSS Score: 9.8
CVSS vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Identifiers: GHSA-m496-x567-f98c, CVE-2021-21426
References:

• https://github.com/OpenMage/magento-lts/security/advisories/GHSA-m496-x567-f98c
• https://nvd.nist.gov/vuln/detail/CVE-2021-21426
• https://github.com/advisories/GHSA-m496-x567-f98c

Repository: https://github.com/OpenMage/magento-lts
Blast Radius: 14.6

Affected Packages