Potential remote code execution in LUA context of the redis server via methods yii\redis\ActiveRecord::findOne()
and yii\redis\ActiveRecord::findAll()
in yiisoft/yii2-redis. Attackers could probably manipulate data on the redis server.
www.yiiframework.com/news/168/releasing-yii-2-0-15-and-database-extensions-with-security-fixes
github.com/FriendsOfPHP/security-advisories/blob/master/yiisoft/yii2-redis/CVE-2018-8073.yaml
github.com/yiisoft/yii2-redis
nvd.nist.gov/vuln/detail/CVE-2018-8073
www.yiiframework.com/news/168/releasing-yii-2-0-15-and-database-extensions-with-security-fixes