yiisoft/yii2
Opgelost in
2.0.39
2.0.38
CVE-2020-15148 is an insecure deserialization vulnerability affecting the Yii2 PHP framework. This flaw allows an attacker to execute arbitrary code on a server if the application processes user-supplied data containing a specially crafted serialized string through the unserialize() function. Successful exploitation can lead to complete system compromise. This vulnerability impacts versions of Yii2 up to and including 2.0.9; a patch is available in version 2.0.38.
The core impact of CVE-2020-15148 is remote code execution (RCE). An attacker can craft a malicious serialized object and inject it into user input that is subsequently processed by the Yii2 application's unserialize() function. This allows the attacker to execute arbitrary PHP code on the server, potentially gaining full control of the system. The blast radius is significant, as an attacker could modify application data, steal sensitive information, install malware, or pivot to other systems on the network. This vulnerability shares similarities with other insecure deserialization exploits, where the lack of proper input validation allows for the execution of attacker-controlled code.
CVE-2020-15148 was published on September 15, 2020. While no widespread active exploitation campaigns have been publicly reported, the vulnerability's RCE nature and the availability of potential exploits make it a target. The vulnerability is not currently listed on KEV or EPSS, suggesting a low to medium probability of exploitation. Public proof-of-concept (POC) code may exist, increasing the risk of exploitation if the vulnerability remains unpatched.
Exploit Status
EPSS
93.43% (100% percentiel)
CVSS-vector
The primary mitigation for CVE-2020-15148 is to upgrade to Yii2 version 2.0.38 or later, which includes a fix for the insecure deserialization vulnerability. If upgrading is not immediately feasible, a workaround involves preventing serialization of the BatchQueryResult class. This can be achieved by adding the sleep() and wakeup() methods to the BatchQueryResult.php file, each throwing a \BadMethodCallException. This effectively disables serialization for this class, preventing the exploitation of this specific vulnerability. After applying the workaround, confirm its effectiveness by attempting to serialize a known malicious payload and verifying that it fails.
Actualice Yii 2 a la versión 2.0.38 o superior. Como alternativa, revise el advisory enlazado para una solución temporal sin actualizar.
Kwetsbaarheidsanalyses en kritieke waarschuwingen direct in uw inbox.
It's an insecure deserialization vulnerability in Yii2 Framework versions 2.0.9 and earlier, allowing attackers to execute code.
If you're using Yii2 versions 2.0.0 through 2.0.9, you are potentially affected. Check your version and apply the fix.
Upgrade to Yii2 version 2.0.38 or apply the workaround by disabling serialization in BatchQueryResult.php.
While no widespread campaigns are known, the vulnerability's severity makes it a potential target. Monitor your systems for suspicious activity.
Refer to the Yii Framework security advisory: https://www.yiiframework.com/security
Upload je dependency-bestand en kom direct te weten of deze en andere CVEs jou raken.