Unsafe deserialization in Yii 2
翻訳中…プラットフォーム
php
コンポーネント
yiisoft/yii2
修正版
2.0.39
2.0.38
CVE-2020-15148 is an insecure deserialization vulnerability affecting the Yii2 PHP framework. This flaw allows an attacker to execute arbitrary code on a server if the application processes user-supplied data containing a specially crafted serialized string through the unserialize() function. Successful exploitation can lead to complete system compromise. This vulnerability impacts versions of Yii2 up to and including 2.0.9; a patch is available in version 2.0.38.
影響と攻撃シナリオ翻訳中…
The core impact of CVE-2020-15148 is remote code execution (RCE). An attacker can craft a malicious serialized object and inject it into user input that is subsequently processed by the Yii2 application's unserialize() function. This allows the attacker to execute arbitrary PHP code on the server, potentially gaining full control of the system. The blast radius is significant, as an attacker could modify application data, steal sensitive information, install malware, or pivot to other systems on the network. This vulnerability shares similarities with other insecure deserialization exploits, where the lack of proper input validation allows for the execution of attacker-controlled code.
悪用の状況翻訳中…
CVE-2020-15148 was published on September 15, 2020. While no widespread active exploitation campaigns have been publicly reported, the vulnerability's RCE nature and the availability of potential exploits make it a target. The vulnerability is not currently listed on KEV or EPSS, suggesting a low to medium probability of exploitation. Public proof-of-concept (POC) code may exist, increasing the risk of exploitation if the vulnerability remains unpatched.
脅威インテリジェンス
エクスプロイト状況
EPSS
93.43% (100% パーセンタイル)
CVSS ベクトル
これらのメトリクスの意味は?
- Attack Vector
- ネットワーク — インターネット経由でリモートから悪用可能。物理・ローカルアクセス不要。
- Attack Complexity
- 高 — 競合条件、非標準設定、または特定の状況が必要。悪用が難しい。
- Privileges Required
- なし — 認証不要。資格情報なしで悪用可能。
- User Interaction
- なし — 自動かつ無音の攻撃。被害者は何もしない。
- Scope
- 変化あり — 攻撃が脆弱なコンポーネントを超えて他のシステムに波及可能。
- Confidentiality
- 低 — 一部データへの部分的アクセス。
- Integrity
- 高 — 任意のデータの書き込み・変更・削除が可能。
- Availability
- 高 — 完全なクラッシュまたはリソース枯渇。完全なサービス拒否。
影響を受けるソフトウェア
パッケージ情報
- 最終更新
- 2.0.55最近
弱点分類 (CWE)
タイムライン
- 予約済み
- 公開日
- 更新日
- EPSS 更新日
緩和策と回避策翻訳中…
The primary mitigation for CVE-2020-15148 is to upgrade to Yii2 version 2.0.38 or later, which includes a fix for the insecure deserialization vulnerability. If upgrading is not immediately feasible, a workaround involves preventing serialization of the BatchQueryResult class. This can be achieved by adding the sleep() and wakeup() methods to the BatchQueryResult.php file, each throwing a \BadMethodCallException. This effectively disables serialization for this class, preventing the exploitation of this specific vulnerability. After applying the workaround, confirm its effectiveness by attempting to serialize a known malicious payload and verifying that it fails.
修正方法翻訳中…
Actualice Yii 2 a la versión 2.0.38 o superior. Como alternativa, revise el advisory enlazado para una solución temporal sin actualizar.
CVEセキュリティニュースレター
脆弱性分析と重要アラートをメールでお届けします。
よくある質問翻訳中…
What is CVE-2020-15148 — Remote Code Execution (RCE) in yiisoft/yii2?
It's an insecure deserialization vulnerability in Yii2 Framework versions 2.0.9 and earlier, allowing attackers to execute code.
Am I affected by CVE-2020-15148 in yiisoft/yii2?
If you're using Yii2 versions 2.0.0 through 2.0.9, you are potentially affected. Check your version and apply the fix.
How do I fix CVE-2020-15148 in yiisoft/yii2?
Upgrade to Yii2 version 2.0.38 or apply the workaround by disabling serialization in BatchQueryResult.php.
Is CVE-2020-15148 being actively exploited?
While no widespread campaigns are known, the vulnerability's severity makes it a potential target. Monitor your systems for suspicious activity.
Where can I find the official yiisoft/yii2 advisory for CVE-2020-15148?
Refer to the Yii Framework security advisory: https://www.yiiframework.com/security