6.5 Medium
CVSS2
Attack Vector
NETWORK
Attack Complexity
LOW
Authentication
SINGLE
Confidentiality Impact
PARTIAL
Integrity Impact
PARTIAL
Availability Impact
PARTIAL
AV:N/AC:L/Au:S/C:P/I:P/A:P
9.6 High
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
LOW
User Interaction
NONE
Scope
CHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
NONE
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:N
0.003 Low
EPSS
Percentile
70.2%
Request parameters injected inside an expression evaluated by symfony/expression-language
package haven’t been sanitized properly. This allows the attacker to access any public service by manipulating that request parameter, allowing for Remote Code Execution.
The vulnerable versions include: <=1.3.13 || >=1.4.0 <=1.4.6 || >=1.5.0 <=1.5.1 || >=1.6.0 <=1.6.3
.
sylius_grid:
grids:
foo:
fields:
bar:
options:
baz: "expr:service('sylius.repository.product').find($id)"
In this case, $id
can be prepared in a way that calls other services.
If you visit /route?id="~service('doctrine').getManager().getConnection().executeQuery("DELETE * FROM TABLE")~"
, it will result in a following expression expr:service('repository').find(""~service('doctrine').getManager().getConnection().executeQuery("DELETE * FROM TABLE")~"")
, which will execute a query on the currently connected database.
To find a vulnerability in your application, look for any routing definition that uses request parameters inside expression language.
This issue has been patched for versions 1.3.14, 1.4.7, 1.5.2 and 1.6.4. Versions prior to 1.3 were not patched.
The fix requires adding addslashes
in OptionsParser::parseOptionExpression
to sanitize user input before evaluating it using the expression language.
- return is_string($variable) ? sprintf('"%s"', $variable) : $variable;
+ return is_string($variable) ? sprintf('"%s"', addslashes($variable)) : $variable;
This security issue has been reported by Craig Blanchette (@isometriks), thanks a lot!
If you have any questions or comments about this advisory:
CPE | Name | Operator | Version |
---|---|---|---|
sylius/resource-bundle | lt | 1.3.14 | |
sylius/resource-bundle | lt | 1.6.4 | |
sylius/resource-bundle | lt | 1.5.2 | |
sylius/resource-bundle | lt | 1.4.7 |
github.com/advisories/GHSA-h6m7-j4h3-9rf5
github.com/FriendsOfPHP/security-advisories/blob/master/sylius/resource-bundle/CVE-2020-15146.yaml
github.com/Sylius/SyliusResourceBundle/commit/73d9aba182947473a5935b31caf65ca263091e00
github.com/Sylius/SyliusResourceBundle/security/advisories/GHSA-h6m7-j4h3-9rf5
nvd.nist.gov/vuln/detail/CVE-2020-15146
6.5 Medium
CVSS2
Attack Vector
NETWORK
Attack Complexity
LOW
Authentication
SINGLE
Confidentiality Impact
PARTIAL
Integrity Impact
PARTIAL
Availability Impact
PARTIAL
AV:N/AC:L/Au:S/C:P/I:P/A:P
9.6 High
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
LOW
User Interaction
NONE
Scope
CHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
NONE
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:N
0.003 Low
EPSS
Percentile
70.2%