7.5 High
CVSS2
Attack Vector
NETWORK
Attack Complexity
LOW
Authentication
NONE
Confidentiality Impact
PARTIAL
Integrity Impact
PARTIAL
Availability Impact
PARTIAL
AV:N/AC:L/Au:N/C:P/I:P/A:P
9.8 High
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
HIGH
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
0.002 Low
EPSS
Percentile
55.8%
Values added at the end of query sorting were passed directly to the DB. We don’t know, if it could lead to direct SQL injections, however, we should not allow for easy injection of values there anyway.
The issue is fixed in version 1.10.1 and in 1.11-rc.1
You have to overwrite your Sylius\Component\Grid\Sorting\Sorter.php
class:
<?php
// src/App/Sorting/Sorter.php
declare(strict_types=1);
namespace App\Sorting;
use Symfony\Component\HttpKernel\Exception\BadRequestHttpException;
use Sylius\Component\Grid\Data\DataSourceInterface;
use Sylius\Component\Grid\Definition\Grid;
use Sylius\Component\Grid\Parameters;
use Sylius\Component\Grid\Sorting\SorterInterface;
final class Sorter implements SorterInterface
{
public function sort(DataSourceInterface $dataSource, Grid $grid, Parameters $parameters): void
{
$enabledFields = $grid->getFields();
$expressionBuilder = $dataSource->getExpressionBuilder();
$sorting = $parameters->get('sorting', $grid->getSorting());
$this->validateSortingParams($sorting, $enabledFields);
foreach ($sorting as $field => $order) {
$this->validateFieldNames($field, $enabledFields);
$gridField = $grid->getField($field);
$property = $gridField->getSortable();
if (null !== $property) {
$expressionBuilder->addOrderBy($property, $order);
}
}
}
private function validateSortingParams(array $sorting, array $enabledFields): void
{
foreach (array_keys($enabledFields) as $key) {
if (array_key_exists($key, $sorting) && !in_array($sorting[$key], ['asc', 'desc'])) {
throw new BadRequestHttpException(sprintf('%s is not valid, use asc or desc instead.', $sorting[$key]));
}
}
}
private function validateFieldNames(string $fieldName, array $enabledFields): void
{
$enabledFieldsNames = array_keys($enabledFields);
if (!in_array($fieldName, $enabledFieldsNames, true)) {
throw new BadRequestHttpException(sprintf('%s is not valid field, did you mean one of these: %s?', $fieldName, implode(', ', $enabledFieldsNames)));
}
}
}
and register it in your container:
# config/services.yaml
services:
# ...
sylius.grid.sorter:
class: App\Sorting\Sorter
If you have any questions or comments about this advisory:
CPE | Name | Operator | Version |
---|---|---|---|
sylius/grid-bundle | lt | 1.10.1 |
github.com/advisories/GHSA-2xmm-g482-4439
github.com/Sylius/SyliusGridBundle/commit/73d0791d0575f955e830a3da4c3345f420d2f784
github.com/Sylius/SyliusGridBundle/pull/222
github.com/Sylius/SyliusGridBundle/releases/tag/v1.10.1
github.com/Sylius/SyliusGridBundle/releases/tag/v1.11.0-RC.2
github.com/Sylius/SyliusGridBundle/security/advisories/GHSA-2xmm-g482-4439
nvd.nist.gov/vuln/detail/CVE-2022-24752
7.5 High
CVSS2
Attack Vector
NETWORK
Attack Complexity
LOW
Authentication
NONE
Confidentiality Impact
PARTIAL
Integrity Impact
PARTIAL
Availability Impact
PARTIAL
AV:N/AC:L/Au:N/C:P/I:P/A:P
9.8 High
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
HIGH
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
0.002 Low
EPSS
Percentile
55.8%