CVE-2020-15148 is an insecure deserialization vulnerability affecting the Yii2 PHP framework. This flaw allows an attacker to execute arbitrary code on a server if the application processes user-supplied data containing a specially crafted serialized string through the unserialize() function. Successful exploitation can lead to complete system compromise. This vulnerability impacts versions of Yii2 up to and including 2.0.9; a patch is available in version 2.0.38.
影响与攻击场景翻译中…
The core impact of CVE-2020-15148 is remote code execution (RCE). An attacker can craft a malicious serialized object and inject it into user input that is subsequently processed by the Yii2 application's unserialize() function. This allows the attacker to execute arbitrary PHP code on the server, potentially gaining full control of the system. The blast radius is significant, as an attacker could modify application data, steal sensitive information, install malware, or pivot to other systems on the network. This vulnerability shares similarities with other insecure deserialization exploits, where the lack of proper input validation allows for the execution of attacker-controlled code.
利用背景翻译中…
CVE-2020-15148 was published on September 15, 2020. While no widespread active exploitation campaigns have been publicly reported, the vulnerability's RCE nature and the availability of potential exploits make it a target. The vulnerability is not currently listed on KEV or EPSS, suggesting a low to medium probability of exploitation. Public proof-of-concept (POC) code may exist, increasing the risk of exploitation if the vulnerability remains unpatched.
威胁情报
漏洞利用状态
EPSS
93.43% (100% 百分位)
CVSS 向量
这些指标意味着什么?
- Attack Vector
- 网络 — 可通过互联网远程利用,无需物理或本地访问。攻击面最大。
- Attack Complexity
- 高 — 需要竞态条件、非默认配置或特定情况。难以可靠利用。
- Privileges Required
- 无 — 无需认证,无需凭证即可利用。
- User Interaction
- 无 — 攻击自动且无声,受害者无需任何操作。
- Scope
- 已改变 — 攻击可以超出脆弱组件,影响其他系统。
- Confidentiality
- 低 — 可访问部分数据。
- Integrity
- 高 — 攻击者可写入、修改或删除任何数据。
- Availability
- 高 — 完全崩溃或资源耗尽,完全拒绝服务。
受影响的软件
软件包信息
- 最后更新
- 2.0.55最近
弱点分类 (CWE)
时间线
- 已保留
- 发布日期
- 修改日期
- EPSS 更新日期
缓解措施和替代方案翻译中…
The primary mitigation for CVE-2020-15148 is to upgrade to Yii2 version 2.0.38 or later, which includes a fix for the insecure deserialization vulnerability. If upgrading is not immediately feasible, a workaround involves preventing serialization of the BatchQueryResult class. This can be achieved by adding the sleep() and wakeup() methods to the BatchQueryResult.php file, each throwing a \BadMethodCallException. This effectively disables serialization for this class, preventing the exploitation of this specific vulnerability. After applying the workaround, confirm its effectiveness by attempting to serialize a known malicious payload and verifying that it fails.
修复方法翻译中…
Actualice Yii 2 a la versión 2.0.38 o superior. Como alternativa, revise el advisory enlazado para una solución temporal sin actualizar.
CVE 安全通讯
漏洞分析和关键警报直接发送到您的邮箱。
常见问题翻译中…
What is CVE-2020-15148 — Remote Code Execution (RCE) in yiisoft/yii2?
It's an insecure deserialization vulnerability in Yii2 Framework versions 2.0.9 and earlier, allowing attackers to execute code.
Am I affected by CVE-2020-15148 in yiisoft/yii2?
If you're using Yii2 versions 2.0.0 through 2.0.9, you are potentially affected. Check your version and apply the fix.
How do I fix CVE-2020-15148 in yiisoft/yii2?
Upgrade to Yii2 version 2.0.38 or apply the workaround by disabling serialization in BatchQueryResult.php.
Is CVE-2020-15148 being actively exploited?
While no widespread campaigns are known, the vulnerability's severity makes it a potential target. Monitor your systems for suspicious activity.
Where can I find the official yiisoft/yii2 advisory for CVE-2020-15148?
Refer to the Yii Framework security advisory: https://www.yiiframework.com/security