Lucene search
GoogleOSV:GHSA-699Q-WCFF-G9MJHistorySep 15, 2020 - 6:19 p.m.
Unsafe deserialization in Yii 2
2020-09-1518:19:56
Google
osv.dev
74
0.027 Low
EPSS
Percentile
90.6%
Impact
Remote code execution in case application calls unserialize() on user input containing specially crafted string.
Patches
2.0.38
Workarounds
Add the following to BatchQueryResult.php:
public function __sleep()
{
throw new \BadMethodCallException('Cannot serialize '.__CLASS__);
}
public function __wakeup()
{
throw new \BadMethodCallException('Cannot unserialize '.__CLASS__);
}
For more information
If you have any questions or comments about this advisory, contact us through security form.
References
github.com/FriendsOfPHP/security-advisories/blob/master/yiisoft/yii2/CVE-2020-15148.yaml
github.com/yiisoft/yii2/commit/9abccb96d7c5ddb569f92d1a748f50ee9b3e2b99
github.com/yiisoft/yii2/security/advisories/GHSA-699q-wcff-g9mj
nvd.nist.gov/vuln/detail/CVE-2020-15148
www.yiiframework.com/news/303/yii-2-0-38
Related
cvelist
cvelist
CVE-2020-15148 Unsafe deserialization in Yii 2
2020-09-15 18:25:12
githubexploit
githubexploit
Exploit for Deserialization of Untrusted Data in Yiiframework Yii
2020-09-21 03:55:55
nuclei
nuclei
Yii 2 < 2.0.38 - Remote Code Execution
2021-03-29 20:47:04
cve
cve
CVE-2020-15148
2020-09-15 19:15:12
prion
prion
Remote code execution
2020-09-15 19:15:00
github
github
Unsafe deserialization in Yii 2
2020-09-15 18:19:56
nvd
nvd
CVE-2020-15148
2020-09-15 19:15:12
veracode
veracode
Remote Code Execution (RCE)
2020-09-16 01:39:51
osv
osv
CVE-2020-15148
2020-09-15 19:15:12
friendsofphp
friendsofphp