Object injection in cookie driver in phpfastcache

2019-12-1222:50:20

Google

osv.dev

0.003 Low

EPSS

Percentile

70.2%

JSON

Impact

An possible object injection has been discovered in cookie driver prior 5.0.13 versions (of 5.x releases).

Patches

The issue has been addressed by enforcing JSON conversion when deserializing

Workarounds

If you can’t fix it, use another driver such as “Files” (Filesystem)

References

Fixing release: https://github.com/PHPSocialNetwork/phpfastcache/releases/tag/5.0.13

For more information

If you have any questions or comments about this advisory:

Open an issue in the issue tracker
Email us at [email protected]

CPENameOperatorVersion
phpfastcache/phpfastcacheeq5.0.6
phpfastcache/phpfastcacheeq5.0.1
phpfastcache/phpfastcacheeq5.0.4
phpfastcache/phpfastcacheeq5.0.0
phpfastcache/phpfastcacheeq5.0.2
phpfastcache/phpfastcacheeq5.0.10
phpfastcache/phpfastcacheeq5.0.7
phpfastcache/phpfastcacheeq5.0.3
phpfastcache/phpfastcacheeq5.0.8
phpfastcache/phpfastcacheeq5.0.12

Name	Operator	Version
phpfastcache/phpfastcache	eq	5.0.6
phpfastcache/phpfastcache	eq	5.0.1
phpfastcache/phpfastcache	eq	5.0.4
phpfastcache/phpfastcache	eq	5.0.0
phpfastcache/phpfastcache	eq	5.0.2
phpfastcache/phpfastcache	eq	5.0.10
phpfastcache/phpfastcache	eq	5.0.7
phpfastcache/phpfastcache	eq	5.0.3
phpfastcache/phpfastcache	eq	5.0.8
phpfastcache/phpfastcache	eq	5.0.12