cvelistv5 - cve-2020-15143

CVE-2020-15143 (GCVE-0-2020-15143)

Vulnerability from cvelistv5 – Published: 2020-08-19 20:40 – Updated: 2024-08-04 13:08

Title

Remote Code Execution in SyliusResourceBundle

Summary

In SyliusResourceBundle before versions 1.3.14, 1.4.7, 1.5.2 and 1.6.4, rrequest parameters injected inside an expression evaluated by `symfony/expression-language` package haven't been sanitized properly. This allows the attacker to access any public service by manipulating that request parameter, allowing for Remote Code Execution. This issue has been patched for versions 1.3.14, 1.4.7, 1.5.2 and 1.6.4. Versions prior to 1.3 were not patched.

Severity ?

7.7 (High)


                        
                          CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:N/I:H/A:N

CWE

CWE-74 - Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection')

Assigner

GitHub_M

References

URL

Tags

https://github.com/Sylius/SyliusResourceBundle/se…

x_refsource_CONFIRM

Impacted products

	Vendor	Product	Version
	Sylius	SyliusResourceBundle	Affected: < 1.3.14 Affected: >= 1.4.0 , < 1.4.7 Affected: >= 1.5.0, < 1.5.2 Affected: >= 1.6.0, < 1.6.4

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "providerMetadata": {
          "dateUpdated": "2024-08-04T13:08:22.247Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "tags": [
              "x_refsource_CONFIRM",
              "x_transferred"
            ],
            "url": "https://github.com/Sylius/SyliusResourceBundle/security/advisories/GHSA-p4pj-9g59-4ppv"
          }
        ],
        "title": "CVE Program Container"
      }
    ],
    "cna": {
      "affected": [
        {
          "product": "SyliusResourceBundle",
          "vendor": "Sylius",
          "versions": [
            {
              "status": "affected",
              "version": "\u003c 1.3.14"
            },
            {
              "status": "affected",
              "version": "\u003e= 1.4.0 , \u003c 1.4.7"
            },
            {
              "status": "affected",
              "version": "\u003e= 1.5.0, \u003c 1.5.2"
            },
            {
              "status": "affected",
              "version": "\u003e= 1.6.0, \u003c 1.6.4"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "In SyliusResourceBundle before versions 1.3.14, 1.4.7, 1.5.2 and 1.6.4, rrequest parameters injected inside an expression evaluated by `symfony/expression-language` package haven\u0027t been sanitized properly. This allows the attacker to access any public service by manipulating that request parameter, allowing for Remote Code Execution. This issue has been patched for versions 1.3.14, 1.4.7, 1.5.2 and 1.6.4. Versions prior to 1.3 were not patched."
        }
      ],
      "metrics": [
        {
          "cvssV3_1": {
            "attackComplexity": "LOW",
            "attackVector": "NETWORK",
            "availabilityImpact": "NONE",
            "baseScore": 7.7,
            "baseSeverity": "HIGH",
            "confidentialityImpact": "NONE",
            "integrityImpact": "HIGH",
            "privilegesRequired": "LOW",
            "scope": "CHANGED",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:N/I:H/A:N",
            "version": "3.1"
          }
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-74",
              "description": "CWE-74: Improper Neutralization of Special Elements in Output Used by a Downstream Component (\u0027Injection\u0027)",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2020-08-19T20:40:12",
        "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
        "shortName": "GitHub_M"
      },
      "references": [
        {
          "tags": [
            "x_refsource_CONFIRM"
          ],
          "url": "https://github.com/Sylius/SyliusResourceBundle/security/advisories/GHSA-p4pj-9g59-4ppv"
        }
      ],
      "source": {
        "advisory": "GHSA-p4pj-9g59-4ppv",
        "discovery": "UNKNOWN"
      },
      "title": "Remote Code Execution in SyliusResourceBundle",
      "x_legacyV4Record": {
        "CVE_data_meta": {
          "ASSIGNER": "security-advisories@github.com",
          "ID": "CVE-2020-15143",
          "STATE": "PUBLIC",
          "TITLE": "Remote Code Execution in SyliusResourceBundle"
        },
        "affects": {
          "vendor": {
            "vendor_data": [
              {
                "product": {
                  "product_data": [
                    {
                      "product_name": "SyliusResourceBundle",
                      "version": {
                        "version_data": [
                          {
                            "version_value": "\u003c 1.3.14"
                          },
                          {
                            "version_value": "\u003e= 1.4.0 , \u003c 1.4.7"
                          },
                          {
                            "version_value": "\u003e= 1.5.0, \u003c 1.5.2"
                          },
                          {
                            "version_value": "\u003e= 1.6.0, \u003c 1.6.4"
                          }
                        ]
                      }
                    }
                  ]
                },
                "vendor_name": "Sylius"
              }
            ]
          }
        },
        "data_format": "MITRE",
        "data_type": "CVE",
        "data_version": "4.0",
        "description": {
          "description_data": [
            {
              "lang": "eng",
              "value": "In SyliusResourceBundle before versions 1.3.14, 1.4.7, 1.5.2 and 1.6.4, rrequest parameters injected inside an expression evaluated by `symfony/expression-language` package haven\u0027t been sanitized properly. This allows the attacker to access any public service by manipulating that request parameter, allowing for Remote Code Execution. This issue has been patched for versions 1.3.14, 1.4.7, 1.5.2 and 1.6.4. Versions prior to 1.3 were not patched."
            }
          ]
        },
        "impact": {
          "cvss": {
            "attackComplexity": "LOW",
            "attackVector": "NETWORK",
            "availabilityImpact": "NONE",
            "baseScore": 7.7,
            "baseSeverity": "HIGH",
            "confidentialityImpact": "NONE",
            "integrityImpact": "HIGH",
            "privilegesRequired": "LOW",
            "scope": "CHANGED",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:N/I:H/A:N",
            "version": "3.1"
          }
        },
        "problemtype": {
          "problemtype_data": [
            {
              "description": [
                {
                  "lang": "eng",
                  "value": "CWE-74: Improper Neutralization of Special Elements in Output Used by a Downstream Component (\u0027Injection\u0027)"
                }
              ]
            }
          ]
        },
        "references": {
          "reference_data": [
            {
              "name": "https://github.com/Sylius/SyliusResourceBundle/security/advisories/GHSA-p4pj-9g59-4ppv",
              "refsource": "CONFIRM",
              "url": "https://github.com/Sylius/SyliusResourceBundle/security/advisories/GHSA-p4pj-9g59-4ppv"
            }
          ]
        },
        "source": {
          "advisory": "GHSA-p4pj-9g59-4ppv",
          "discovery": "UNKNOWN"
        }
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
    "assignerShortName": "GitHub_M",
    "cveId": "CVE-2020-15143",
    "datePublished": "2020-08-19T20:40:12",
    "dateReserved": "2020-06-25T00:00:00",
    "dateUpdated": "2024-08-04T13:08:22.247Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1",
  "vulnerability-lookup:meta": {
    "fkie_nvd": {
      "configurations": "[{\"nodes\": [{\"operator\": \"OR\", \"negate\": false, \"cpeMatch\": [{\"vulnerable\": true, \"criteria\": \"cpe:2.3:a:sylius:syliusresourcebundle:*:*:*:*:*:*:*:*\", \"versionEndIncluding\": \"1.3.13\", \"matchCriteriaId\": \"659F611E-A675-4348-9357-9E72660C4540\"}, {\"vulnerable\": true, \"criteria\": \"cpe:2.3:a:sylius:syliusresourcebundle:*:*:*:*:*:*:*:*\", \"versionStartIncluding\": \"1.4.0\", \"versionEndIncluding\": \"1.4.6\", \"matchCriteriaId\": \"324A47C4-D629-406D-993C-FD6180FEA3AE\"}, {\"vulnerable\": true, \"criteria\": \"cpe:2.3:a:sylius:syliusresourcebundle:*:*:*:*:*:*:*:*\", \"versionStartIncluding\": \"1.5.0\", \"versionEndIncluding\": \"1.5.1\", \"matchCriteriaId\": \"2BDCA031-1860-4F18-8EAB-E1776574DB2C\"}, {\"vulnerable\": true, \"criteria\": \"cpe:2.3:a:sylius:syliusresourcebundle:*:*:*:*:*:*:*:*\", \"versionStartIncluding\": \"1.6.0\", \"versionEndIncluding\": \"1.6.3\", \"matchCriteriaId\": \"04F7B07A-DE47-4D3C-88E4-51F01D91A4E5\"}]}]}]",
      "descriptions": "[{\"lang\": \"en\", \"value\": \"In SyliusResourceBundle before versions 1.3.14, 1.4.7, 1.5.2 and 1.6.4, rrequest parameters injected inside an expression evaluated by `symfony/expression-language` package haven\u0027t been sanitized properly. This allows the attacker to access any public service by manipulating that request parameter, allowing for Remote Code Execution. This issue has been patched for versions 1.3.14, 1.4.7, 1.5.2 and 1.6.4. Versions prior to 1.3 were not patched.\"}, {\"lang\": \"es\", \"value\": \"En SyliusResourceBundle anterior a las versiones 1.3.14, 1.4.7, 1.5.2 y 1.6.4, los par\\u00e1metros de petici\\u00f3n inyectados dentro de una expresi\\u00f3n evaluada por el paquete \\\"symfony/expression-language\\\" no se han saneado correctamente. Esto permite al atacante acceder a cualquier servicio p\\u00fablico manipulando ese par\\u00e1metro de petici\\u00f3n, lo que permite una ejecuci\\u00f3n de c\\u00f3digo remota. Este problema se ha corregido para las versiones 1.3.14, 1.4.7, 1.5.2 y 1.6.4. Las versiones anteriores a la 1.3 no fueron parcheadas.\"}]",
      "id": "CVE-2020-15143",
      "lastModified": "2024-11-21T05:04:56.180",
      "metrics": "{\"cvssMetricV31\": [{\"source\": \"security-advisories@github.com\", \"type\": \"Secondary\", \"cvssData\": {\"version\": \"3.1\", \"vectorString\": \"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:N/I:H/A:N\", \"baseScore\": 7.7, \"baseSeverity\": \"HIGH\", \"attackVector\": \"NETWORK\", \"attackComplexity\": \"LOW\", \"privilegesRequired\": \"LOW\", \"userInteraction\": \"NONE\", \"scope\": \"CHANGED\", \"confidentialityImpact\": \"NONE\", \"integrityImpact\": \"HIGH\", \"availabilityImpact\": \"NONE\"}, \"exploitabilityScore\": 3.1, \"impactScore\": 4.0}, {\"source\": \"nvd@nist.gov\", \"type\": \"Primary\", \"cvssData\": {\"version\": \"3.1\", \"vectorString\": \"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H\", \"baseScore\": 8.8, \"baseSeverity\": \"HIGH\", \"attackVector\": \"NETWORK\", \"attackComplexity\": \"LOW\", \"privilegesRequired\": \"LOW\", \"userInteraction\": \"NONE\", \"scope\": \"UNCHANGED\", \"confidentialityImpact\": \"HIGH\", \"integrityImpact\": \"HIGH\", \"availabilityImpact\": \"HIGH\"}, \"exploitabilityScore\": 2.8, \"impactScore\": 5.9}], \"cvssMetricV2\": [{\"source\": \"nvd@nist.gov\", \"type\": \"Primary\", \"cvssData\": {\"version\": \"2.0\", \"vectorString\": \"AV:N/AC:L/Au:S/C:P/I:P/A:P\", \"baseScore\": 6.5, \"accessVector\": \"NETWORK\", \"accessComplexity\": \"LOW\", \"authentication\": \"SINGLE\", \"confidentialityImpact\": \"PARTIAL\", \"integrityImpact\": \"PARTIAL\", \"availabilityImpact\": \"PARTIAL\"}, \"baseSeverity\": \"MEDIUM\", \"exploitabilityScore\": 8.0, \"impactScore\": 6.4, \"acInsufInfo\": false, \"obtainAllPrivilege\": false, \"obtainUserPrivilege\": false, \"obtainOtherPrivilege\": false, \"userInteractionRequired\": false}]}",
      "published": "2020-08-20T01:17:11.993",
      "references": "[{\"url\": \"https://github.com/Sylius/SyliusResourceBundle/security/advisories/GHSA-p4pj-9g59-4ppv\", \"source\": \"security-advisories@github.com\", \"tags\": [\"Exploit\", \"Mitigation\", \"Third Party Advisory\"]}, {\"url\": \"https://github.com/Sylius/SyliusResourceBundle/security/advisories/GHSA-p4pj-9g59-4ppv\", \"source\": \"af854a3a-2127-422b-91ae-364da2661108\", \"tags\": [\"Exploit\", \"Mitigation\", \"Third Party Advisory\"]}]",
      "sourceIdentifier": "security-advisories@github.com",
      "vulnStatus": "Modified",
      "weaknesses": "[{\"source\": \"security-advisories@github.com\", \"type\": \"Secondary\", \"description\": [{\"lang\": \"en\", \"value\": \"CWE-74\"}]}, {\"source\": \"nvd@nist.gov\", \"type\": \"Primary\", \"description\": [{\"lang\": \"en\", \"value\": \"CWE-917\"}]}]"
    },
    "nvd": "{\"cve\":{\"id\":\"CVE-2020-15143\",\"sourceIdentifier\":\"security-advisories@github.com\",\"published\":\"2020-08-20T01:17:11.993\",\"lastModified\":\"2024-11-21T05:04:56.180\",\"vulnStatus\":\"Modified\",\"cveTags\":[],\"descriptions\":[{\"lang\":\"en\",\"value\":\"In SyliusResourceBundle before versions 1.3.14, 1.4.7, 1.5.2 and 1.6.4, rrequest parameters injected inside an expression evaluated by `symfony/expression-language` package haven\u0027t been sanitized properly. This allows the attacker to access any public service by manipulating that request parameter, allowing for Remote Code Execution. This issue has been patched for versions 1.3.14, 1.4.7, 1.5.2 and 1.6.4. Versions prior to 1.3 were not patched.\"},{\"lang\":\"es\",\"value\":\"En SyliusResourceBundle anterior a las versiones 1.3.14, 1.4.7, 1.5.2 y 1.6.4, los par\u00e1metros de petici\u00f3n inyectados dentro de una expresi\u00f3n evaluada por el paquete \\\"symfony/expression-language\\\" no se han saneado correctamente. Esto permite al atacante acceder a cualquier servicio p\u00fablico manipulando ese par\u00e1metro de petici\u00f3n, lo que permite una ejecuci\u00f3n de c\u00f3digo remota. Este problema se ha corregido para las versiones 1.3.14, 1.4.7, 1.5.2 y 1.6.4. Las versiones anteriores a la 1.3 no fueron parcheadas.\"}],\"metrics\":{\"cvssMetricV31\":[{\"source\":\"security-advisories@github.com\",\"type\":\"Secondary\",\"cvssData\":{\"version\":\"3.1\",\"vectorString\":\"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:N/I:H/A:N\",\"baseScore\":7.7,\"baseSeverity\":\"HIGH\",\"attackVector\":\"NETWORK\",\"attackComplexity\":\"LOW\",\"privilegesRequired\":\"LOW\",\"userInteraction\":\"NONE\",\"scope\":\"CHANGED\",\"confidentialityImpact\":\"NONE\",\"integrityImpact\":\"HIGH\",\"availabilityImpact\":\"NONE\"},\"exploitabilityScore\":3.1,\"impactScore\":4.0},{\"source\":\"nvd@nist.gov\",\"type\":\"Primary\",\"cvssData\":{\"version\":\"3.1\",\"vectorString\":\"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H\",\"baseScore\":8.8,\"baseSeverity\":\"HIGH\",\"attackVector\":\"NETWORK\",\"attackComplexity\":\"LOW\",\"privilegesRequired\":\"LOW\",\"userInteraction\":\"NONE\",\"scope\":\"UNCHANGED\",\"confidentialityImpact\":\"HIGH\",\"integrityImpact\":\"HIGH\",\"availabilityImpact\":\"HIGH\"},\"exploitabilityScore\":2.8,\"impactScore\":5.9}],\"cvssMetricV2\":[{\"source\":\"nvd@nist.gov\",\"type\":\"Primary\",\"cvssData\":{\"version\":\"2.0\",\"vectorString\":\"AV:N/AC:L/Au:S/C:P/I:P/A:P\",\"baseScore\":6.5,\"accessVector\":\"NETWORK\",\"accessComplexity\":\"LOW\",\"authentication\":\"SINGLE\",\"confidentialityImpact\":\"PARTIAL\",\"integrityImpact\":\"PARTIAL\",\"availabilityImpact\":\"PARTIAL\"},\"baseSeverity\":\"MEDIUM\",\"exploitabilityScore\":8.0,\"impactScore\":6.4,\"acInsufInfo\":false,\"obtainAllPrivilege\":false,\"obtainUserPrivilege\":false,\"obtainOtherPrivilege\":false,\"userInteractionRequired\":false}]},\"weaknesses\":[{\"source\":\"security-advisories@github.com\",\"type\":\"Secondary\",\"description\":[{\"lang\":\"en\",\"value\":\"CWE-74\"}]},{\"source\":\"nvd@nist.gov\",\"type\":\"Primary\",\"description\":[{\"lang\":\"en\",\"value\":\"CWE-917\"}]}],\"configurations\":[{\"nodes\":[{\"operator\":\"OR\",\"negate\":false,\"cpeMatch\":[{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:sylius:syliusresourcebundle:*:*:*:*:*:*:*:*\",\"versionEndIncluding\":\"1.3.13\",\"matchCriteriaId\":\"659F611E-A675-4348-9357-9E72660C4540\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:sylius:syliusresourcebundle:*:*:*:*:*:*:*:*\",\"versionStartIncluding\":\"1.4.0\",\"versionEndIncluding\":\"1.4.6\",\"matchCriteriaId\":\"324A47C4-D629-406D-993C-FD6180FEA3AE\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:sylius:syliusresourcebundle:*:*:*:*:*:*:*:*\",\"versionStartIncluding\":\"1.5.0\",\"versionEndIncluding\":\"1.5.1\",\"matchCriteriaId\":\"2BDCA031-1860-4F18-8EAB-E1776574DB2C\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:sylius:syliusresourcebundle:*:*:*:*:*:*:*:*\",\"versionStartIncluding\":\"1.6.0\",\"versionEndIncluding\":\"1.6.3\",\"matchCriteriaId\":\"04F7B07A-DE47-4D3C-88E4-51F01D91A4E5\"}]}]}],\"references\":[{\"url\":\"https://github.com/Sylius/SyliusResourceBundle/security/advisories/GHSA-p4pj-9g59-4ppv\",\"source\":\"security-advisories@github.com\",\"tags\":[\"Exploit\",\"Mitigation\",\"Third Party Advisory\"]},{\"url\":\"https://github.com/Sylius/SyliusResourceBundle/security/advisories/GHSA-p4pj-9g59-4ppv\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\",\"tags\":[\"Exploit\",\"Mitigation\",\"Third Party Advisory\"]}]}}"
  }
}

GSD-2020-15143

Vulnerability from gsd - Updated: 2023-12-13 01:21

Details

Aliases

CVE-2020-15143

Aliases

CVE-2020-15143

JSON

To clipboard

{
  "GSD": {
    "alias": "CVE-2020-15143",
    "description": "In SyliusResourceBundle before versions 1.3.14, 1.4.7, 1.5.2 and 1.6.4, rrequest parameters injected inside an expression evaluated by `symfony/expression-language` package haven\u0027t been sanitized properly. This allows the attacker to access any public service by manipulating that request parameter, allowing for Remote Code Execution. This issue has been patched for versions 1.3.14, 1.4.7, 1.5.2 and 1.6.4. Versions prior to 1.3 were not patched.",
    "id": "GSD-2020-15143"
  },
  "gsd": {
    "metadata": {
      "exploitCode": "unknown",
      "remediation": "unknown",
      "reportConfidence": "confirmed",
      "type": "vulnerability"
    },
    "osvSchema": {
      "aliases": [
        "CVE-2020-15143"
      ],
      "details": "In SyliusResourceBundle before versions 1.3.14, 1.4.7, 1.5.2 and 1.6.4, rrequest parameters injected inside an expression evaluated by `symfony/expression-language` package haven\u0027t been sanitized properly. This allows the attacker to access any public service by manipulating that request parameter, allowing for Remote Code Execution. This issue has been patched for versions 1.3.14, 1.4.7, 1.5.2 and 1.6.4. Versions prior to 1.3 were not patched.",
      "id": "GSD-2020-15143",
      "modified": "2023-12-13T01:21:44.049763Z",
      "schema_version": "1.4.0"
    }
  },
  "namespaces": {
    "cve.org": {
      "CVE_data_meta": {
        "ASSIGNER": "security-advisories@github.com",
        "ID": "CVE-2020-15143",
        "STATE": "PUBLIC",
        "TITLE": "Remote Code Execution in SyliusResourceBundle"
      },
      "affects": {
        "vendor": {
          "vendor_data": [
            {
              "product": {
                "product_data": [
                  {
                    "product_name": "SyliusResourceBundle",
                    "version": {
                      "version_data": [
                        {
                          "version_value": "\u003c 1.3.14"
                        },
                        {
                          "version_value": "\u003e= 1.4.0 , \u003c 1.4.7"
                        },
                        {
                          "version_value": "\u003e= 1.5.0, \u003c 1.5.2"
                        },
                        {
                          "version_value": "\u003e= 1.6.0, \u003c 1.6.4"
                        }
                      ]
                    }
                  }
                ]
              },
              "vendor_name": "Sylius"
            }
          ]
        }
      },
      "data_format": "MITRE",
      "data_type": "CVE",
      "data_version": "4.0",
      "description": {
        "description_data": [
          {
            "lang": "eng",
            "value": "In SyliusResourceBundle before versions 1.3.14, 1.4.7, 1.5.2 and 1.6.4, rrequest parameters injected inside an expression evaluated by `symfony/expression-language` package haven\u0027t been sanitized properly. This allows the attacker to access any public service by manipulating that request parameter, allowing for Remote Code Execution. This issue has been patched for versions 1.3.14, 1.4.7, 1.5.2 and 1.6.4. Versions prior to 1.3 were not patched."
          }
        ]
      },
      "impact": {
        "cvss": {
          "attackComplexity": "LOW",
          "attackVector": "NETWORK",
          "availabilityImpact": "NONE",
          "baseScore": 7.7,
          "baseSeverity": "HIGH",
          "confidentialityImpact": "NONE",
          "integrityImpact": "HIGH",
          "privilegesRequired": "LOW",
          "scope": "CHANGED",
          "userInteraction": "NONE",
          "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:N/I:H/A:N",
          "version": "3.1"
        }
      },
      "problemtype": {
        "problemtype_data": [
          {
            "description": [
              {
                "lang": "eng",
                "value": "CWE-74: Improper Neutralization of Special Elements in Output Used by a Downstream Component (\u0027Injection\u0027)"
              }
            ]
          }
        ]
      },
      "references": {
        "reference_data": [
          {
            "name": "https://github.com/Sylius/SyliusResourceBundle/security/advisories/GHSA-p4pj-9g59-4ppv",
            "refsource": "CONFIRM",
            "url": "https://github.com/Sylius/SyliusResourceBundle/security/advisories/GHSA-p4pj-9g59-4ppv"
          }
        ]
      },
      "source": {
        "advisory": "GHSA-p4pj-9g59-4ppv",
        "discovery": "UNKNOWN"
      }
    },
    "gitlab.com": {
      "advisories": [
        {
          "affected_range": "\u003c=1.3.13||\u003e=1.4.0,\u003c=1.4.6||\u003e=1.5.0,\u003c=1.5.1||\u003e=1.6.0,\u003c=1.6.3",
          "affected_versions": "All versions up to 1.3.13, all versions starting from 1.4.0 up to 1.4.6, all versions starting from 1.5.0 up to 1.5.1, all versions starting from 1.6.0 up to 1.6.3",
          "cvss_v2": "AV:N/AC:L/Au:S/C:P/I:P/A:P",
          "cvss_v3": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
          "cwe_ids": [
            "CWE-1035",
            "CWE-917",
            "CWE-937"
          ],
          "date": "2021-11-18",
          "description": "In SyliusResourceBundle request parameters injected inside an expression evaluated by `symfony/expression-language` package haven\u0027t been sanitized properly. This allows the attacker to access any public service by manipulating that request parameter, allowing for Remote Code Execution.",
          "fixed_versions": [
            "1.3.14",
            "1.4.7",
            "1.5.2",
            "1.6.4"
          ],
          "identifier": "CVE-2020-15143",
          "identifiers": [
            "CVE-2020-15143",
            "GHSA-p4pj-9g59-4ppv"
          ],
          "not_impacted": "All versions after 1.3.13 before 1.4.0, all versions after 1.4.6 before 1.5.0, all versions after 1.5.1 before 1.6.0, all versions after 1.6.3",
          "package_slug": "packagist/sylius/resource-bundle",
          "pubdate": "2020-08-20",
          "solution": "Upgrade to versions 1.3.14, 1.4.7, 1.5.2, 1.6.4 or above.",
          "title": "Injection Vulnerability",
          "urls": [
            "https://nvd.nist.gov/vuln/detail/CVE-2020-15143"
          ],
          "uuid": "4c5d2d4c-c198-4d1b-ac4d-b1dc5eb8e09f"
        }
      ]
    },
    "nvd.nist.gov": {
      "configurations": {
        "CVE_data_version": "4.0",
        "nodes": [
          {
            "children": [],
            "cpe_match": [
              {
                "cpe23Uri": "cpe:2.3:a:sylius:syliusresourcebundle:*:*:*:*:*:*:*:*",
                "cpe_name": [],
                "versionEndIncluding": "1.3.13",
                "vulnerable": true
              },
              {
                "cpe23Uri": "cpe:2.3:a:sylius:syliusresourcebundle:*:*:*:*:*:*:*:*",
                "cpe_name": [],
                "versionEndIncluding": "1.4.6",
                "versionStartIncluding": "1.4.0",
                "vulnerable": true
              },
              {
                "cpe23Uri": "cpe:2.3:a:sylius:syliusresourcebundle:*:*:*:*:*:*:*:*",
                "cpe_name": [],
                "versionEndIncluding": "1.5.1",
                "versionStartIncluding": "1.5.0",
                "vulnerable": true
              },
              {
                "cpe23Uri": "cpe:2.3:a:sylius:syliusresourcebundle:*:*:*:*:*:*:*:*",
                "cpe_name": [],
                "versionEndIncluding": "1.6.3",
                "versionStartIncluding": "1.6.0",
                "vulnerable": true
              }
            ],
            "operator": "OR"
          }
        ]
      },
      "cve": {
        "CVE_data_meta": {
          "ASSIGNER": "security-advisories@github.com",
          "ID": "CVE-2020-15143"
        },
        "data_format": "MITRE",
        "data_type": "CVE",
        "data_version": "4.0",
        "description": {
          "description_data": [
            {
              "lang": "en",
              "value": "In SyliusResourceBundle before versions 1.3.14, 1.4.7, 1.5.2 and 1.6.4, rrequest parameters injected inside an expression evaluated by `symfony/expression-language` package haven\u0027t been sanitized properly. This allows the attacker to access any public service by manipulating that request parameter, allowing for Remote Code Execution. This issue has been patched for versions 1.3.14, 1.4.7, 1.5.2 and 1.6.4. Versions prior to 1.3 were not patched."
            }
          ]
        },
        "problemtype": {
          "problemtype_data": [
            {
              "description": [
                {
                  "lang": "en",
                  "value": "CWE-917"
                }
              ]
            }
          ]
        },
        "references": {
          "reference_data": [
            {
              "name": "https://github.com/Sylius/SyliusResourceBundle/security/advisories/GHSA-p4pj-9g59-4ppv",
              "refsource": "CONFIRM",
              "tags": [
                "Exploit",
                "Mitigation",
                "Third Party Advisory"
              ],
              "url": "https://github.com/Sylius/SyliusResourceBundle/security/advisories/GHSA-p4pj-9g59-4ppv"
            }
          ]
        }
      },
      "impact": {
        "baseMetricV2": {
          "acInsufInfo": false,
          "cvssV2": {
            "accessComplexity": "LOW",
            "accessVector": "NETWORK",
            "authentication": "SINGLE",
            "availabilityImpact": "PARTIAL",
            "baseScore": 6.5,
            "confidentialityImpact": "PARTIAL",
            "integrityImpact": "PARTIAL",
            "vectorString": "AV:N/AC:L/Au:S/C:P/I:P/A:P",
            "version": "2.0"
          },
          "exploitabilityScore": 8.0,
          "impactScore": 6.4,
          "obtainAllPrivilege": false,
          "obtainOtherPrivilege": false,
          "obtainUserPrivilege": false,
          "severity": "MEDIUM",
          "userInteractionRequired": false
        },
        "baseMetricV3": {
          "cvssV3": {
            "attackComplexity": "LOW",
            "attackVector": "NETWORK",
            "availabilityImpact": "HIGH",
            "baseScore": 8.8,
            "baseSeverity": "HIGH",
            "confidentialityImpact": "HIGH",
            "integrityImpact": "HIGH",
            "privilegesRequired": "LOW",
            "scope": "UNCHANGED",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
            "version": "3.1"
          },
          "exploitabilityScore": 2.8,
          "impactScore": 5.9
        }
      },
      "lastModifiedDate": "2021-11-18T18:33Z",
      "publishedDate": "2020-08-20T01:17Z"
    }
  }
}

FKIE_CVE-2020-15143

Vulnerability from fkie_nvd - Published: 2020-08-20 01:17 - Updated: 2024-11-21 05:04

Severity ?

7.7 (High) - CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:N/I:H/A:N
8.8 (High) - CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Summary

References

	URL	Tags
	security-advisories@github.com	https://github.com/Sylius/SyliusResourceBundle/security/advisories/GHSA-p4pj-9g59-4ppv	Exploit, Mitigation, Third Party Advisory
	af854a3a-2127-422b-91ae-364da2661108	https://github.com/Sylius/SyliusResourceBundle/security/advisories/GHSA-p4pj-9g59-4ppv	Exploit, Mitigation, Third Party Advisory

Impacted products

Vendor	Product	Version
sylius	syliusresourcebundle	*
sylius	syliusresourcebundle	*
sylius	syliusresourcebundle	*
sylius	syliusresourcebundle	*

JSON

To clipboard

{
  "configurations": [
    {
      "nodes": [
        {
          "cpeMatch": [
            {
              "criteria": "cpe:2.3:a:sylius:syliusresourcebundle:*:*:*:*:*:*:*:*",
              "matchCriteriaId": "659F611E-A675-4348-9357-9E72660C4540",
              "versionEndIncluding": "1.3.13",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:sylius:syliusresourcebundle:*:*:*:*:*:*:*:*",
              "matchCriteriaId": "324A47C4-D629-406D-993C-FD6180FEA3AE",
              "versionEndIncluding": "1.4.6",
              "versionStartIncluding": "1.4.0",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:sylius:syliusresourcebundle:*:*:*:*:*:*:*:*",
              "matchCriteriaId": "2BDCA031-1860-4F18-8EAB-E1776574DB2C",
              "versionEndIncluding": "1.5.1",
              "versionStartIncluding": "1.5.0",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:sylius:syliusresourcebundle:*:*:*:*:*:*:*:*",
              "matchCriteriaId": "04F7B07A-DE47-4D3C-88E4-51F01D91A4E5",
              "versionEndIncluding": "1.6.3",
              "versionStartIncluding": "1.6.0",
              "vulnerable": true
            }
          ],
          "negate": false,
          "operator": "OR"
        }
      ]
    }
  ],
  "cveTags": [],
  "descriptions": [
    {
      "lang": "en",
      "value": "In SyliusResourceBundle before versions 1.3.14, 1.4.7, 1.5.2 and 1.6.4, rrequest parameters injected inside an expression evaluated by `symfony/expression-language` package haven\u0027t been sanitized properly. This allows the attacker to access any public service by manipulating that request parameter, allowing for Remote Code Execution. This issue has been patched for versions 1.3.14, 1.4.7, 1.5.2 and 1.6.4. Versions prior to 1.3 were not patched."
    },
    {
      "lang": "es",
      "value": "En SyliusResourceBundle anterior a las versiones 1.3.14, 1.4.7, 1.5.2 y 1.6.4, los par\u00e1metros de petici\u00f3n inyectados dentro de una expresi\u00f3n evaluada por el paquete \"symfony/expression-language\" no se han saneado correctamente. Esto permite al atacante acceder a cualquier servicio p\u00fablico manipulando ese par\u00e1metro de petici\u00f3n, lo que permite una ejecuci\u00f3n de c\u00f3digo remota. Este problema se ha corregido para las versiones 1.3.14, 1.4.7, 1.5.2 y 1.6.4. Las versiones anteriores a la 1.3 no fueron parcheadas."
    }
  ],
  "id": "CVE-2020-15143",
  "lastModified": "2024-11-21T05:04:56.180",
  "metrics": {
    "cvssMetricV2": [
      {
        "acInsufInfo": false,
        "baseSeverity": "MEDIUM",
        "cvssData": {
          "accessComplexity": "LOW",
          "accessVector": "NETWORK",
          "authentication": "SINGLE",
          "availabilityImpact": "PARTIAL",
          "baseScore": 6.5,
          "confidentialityImpact": "PARTIAL",
          "integrityImpact": "PARTIAL",
          "vectorString": "AV:N/AC:L/Au:S/C:P/I:P/A:P",
          "version": "2.0"
        },
        "exploitabilityScore": 8.0,
        "impactScore": 6.4,
        "obtainAllPrivilege": false,
        "obtainOtherPrivilege": false,
        "obtainUserPrivilege": false,
        "source": "nvd@nist.gov",
        "type": "Primary",
        "userInteractionRequired": false
      }
    ],
    "cvssMetricV31": [
      {
        "cvssData": {
          "attackComplexity": "LOW",
          "attackVector": "NETWORK",
          "availabilityImpact": "NONE",
          "baseScore": 7.7,
          "baseSeverity": "HIGH",
          "confidentialityImpact": "NONE",
          "integrityImpact": "HIGH",
          "privilegesRequired": "LOW",
          "scope": "CHANGED",
          "userInteraction": "NONE",
          "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:N/I:H/A:N",
          "version": "3.1"
        },
        "exploitabilityScore": 3.1,
        "impactScore": 4.0,
        "source": "security-advisories@github.com",
        "type": "Secondary"
      },
      {
        "cvssData": {
          "attackComplexity": "LOW",
          "attackVector": "NETWORK",
          "availabilityImpact": "HIGH",
          "baseScore": 8.8,
          "baseSeverity": "HIGH",
          "confidentialityImpact": "HIGH",
          "integrityImpact": "HIGH",
          "privilegesRequired": "LOW",
          "scope": "UNCHANGED",
          "userInteraction": "NONE",
          "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
          "version": "3.1"
        },
        "exploitabilityScore": 2.8,
        "impactScore": 5.9,
        "source": "nvd@nist.gov",
        "type": "Primary"
      }
    ]
  },
  "published": "2020-08-20T01:17:11.993",
  "references": [
    {
      "source": "security-advisories@github.com",
      "tags": [
        "Exploit",
        "Mitigation",
        "Third Party Advisory"
      ],
      "url": "https://github.com/Sylius/SyliusResourceBundle/security/advisories/GHSA-p4pj-9g59-4ppv"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "tags": [
        "Exploit",
        "Mitigation",
        "Third Party Advisory"
      ],
      "url": "https://github.com/Sylius/SyliusResourceBundle/security/advisories/GHSA-p4pj-9g59-4ppv"
    }
  ],
  "sourceIdentifier": "security-advisories@github.com",
  "vulnStatus": "Modified",
  "weaknesses": [
    {
      "description": [
        {
          "lang": "en",
          "value": "CWE-74"
        }
      ],
      "source": "security-advisories@github.com",
      "type": "Secondary"
    },
    {
      "description": [
        {
          "lang": "en",
          "value": "CWE-917"
        }
      ],
      "source": "nvd@nist.gov",
      "type": "Primary"
    }
  ]
}

GHSA-P4PJ-9G59-4PPV

Vulnerability from github – Published: 2020-08-19 21:04 – Updated: 2021-11-19 15:41

Summary

Remote Code Execution in SyliusResourceBundle

Details

Impact

Request parameters injected inside an expression evaluated by symfony/expression-language package haven't been sanitized properly. This allows the attacker to access any public service by manipulating that request parameter, allowing for Remote Code Execution.

The vulnerable versions include: <=1.3.13 || >=1.4.0 <=1.4.6 || >=1.5.0 <=1.5.1 || >=1.6.0 <=1.6.3.

Example

foo:
    path: /foo/{id}
    defaults:
        _sylius:
            repository:
                method: findSome
                arguments:
                    entity: "expr:service('repository').find($id)"

In this case, $id can be prepared in a way that calls other services.

If you visit /foo/"~service('doctrine').getManager().getConnection().executeQuery("DELETE * FROM TABLE")~", it will result in a following expression expr:service('repository').find(""~service('doctrine').getManager().getConnection().executeQuery("DELETE * FROM TABLE")~""), which will execute a query on the currently connected database.

To find a vulnerability in your application, look for any routing definition that uses request parameters inside expression language.

Patches

This issue has been patched for versions 1.3.14, 1.4.7, 1.5.2 and 1.6.4. Versions prior to 1.3 were not patched.

Workarounds

The fix requires adding addslashes in ParametersParser::parseRequestValueExpression to sanitize user input before evaluating it using the expression language.

- return is_string($variable) ? sprintf('"%s"', $variable) : $variable;
+ return is_string($variable) ? sprintf('"%s"', addslashes($variable)) : $variable;

Acknowledgements

This security issue has been reported by Craig Blanchette (@isometriks), thanks a lot!

For more information

If you have any questions or comments about this advisory: * Email us at security@sylius.com

Severity ?

7.7 (High)


                  
                    CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:N/I:H/A:N

Show details on source website

JSON

To clipboard

{
  "affected": [
    {
      "package": {
        "ecosystem": "Packagist",
        "name": "sylius/resource-bundle"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "1.4.0"
            },
            {
              "fixed": "1.4.7"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "Packagist",
        "name": "sylius/resource-bundle"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "1.5.0"
            },
            {
              "fixed": "1.5.2"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "Packagist",
        "name": "sylius/resource-bundle"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "1.6.0"
            },
            {
              "fixed": "1.6.4"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "Packagist",
        "name": "sylius/resource-bundle"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "1.0.0"
            },
            {
              "fixed": "1.3.14"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2020-15143"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-74",
      "CWE-917"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2020-08-19T20:30:42Z",
    "nvd_published_at": "2020-08-20T01:17:00Z",
    "severity": "HIGH"
  },
  "details": "### Impact\n\nRequest parameters injected inside an expression evaluated by `symfony/expression-language` package haven\u0027t been sanitized properly. This allows the attacker to access any public service by manipulating that request parameter, allowing for Remote Code Execution.\n\nThe vulnerable versions include: `\u003c=1.3.13 || \u003e=1.4.0 \u003c=1.4.6 || \u003e=1.5.0 \u003c=1.5.1 || \u003e=1.6.0 \u003c=1.6.3`.\n\n### Example\n\n```yaml\nfoo:\n    path: /foo/{id}\n    defaults:\n        _sylius:\n            repository:\n                method: findSome\n                arguments:\n                    entity: \"expr:service(\u0027repository\u0027).find($id)\"\n```\n\nIn this case, `$id` can be prepared in a way that calls other services. \n\nIf you visit `/foo/\"~service(\u0027doctrine\u0027).getManager().getConnection().executeQuery(\"DELETE * FROM TABLE\")~\"`, it will result in a following expression `expr:service(\u0027repository\u0027).find(\"\"~service(\u0027doctrine\u0027).getManager().getConnection().executeQuery(\"DELETE * FROM TABLE\")~\"\")`, which will execute a query on the currently connected database.\n\nTo find a vulnerability in your application, look for any routing definition that uses request parameters inside expression language.\n\n### Patches\n\nThis issue has been patched for versions 1.3.14, 1.4.7, 1.5.2 and 1.6.4. Versions prior to 1.3 were not patched.\n\n### Workarounds\n\nThe fix requires adding `addslashes` in `ParametersParser::parseRequestValueExpression` to sanitize user input before evaluating it using the expression language.\n\n```php\n- return is_string($variable) ? sprintf(\u0027\"%s\"\u0027, $variable) : $variable;\n+ return is_string($variable) ? sprintf(\u0027\"%s\"\u0027, addslashes($variable)) : $variable;\n```\n\n### Acknowledgements\n\nThis security issue has been reported by Craig Blanchette (@isometriks), thanks a lot!\n\n### For more information\n\nIf you have any questions or comments about this advisory:\n* Email us at [security@sylius.com](mailto:security@sylius.com)",
  "id": "GHSA-p4pj-9g59-4ppv",
  "modified": "2021-11-19T15:41:13Z",
  "published": "2020-08-19T21:04:25Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/Sylius/SyliusResourceBundle/security/advisories/GHSA-p4pj-9g59-4ppv"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2020-15143"
    },
    {
      "type": "WEB",
      "url": "https://github.com/Sylius/SyliusResourceBundle/commit/73ed8b8bb083f36c30ad7c3cec336f65d6a80650"
    },
    {
      "type": "WEB",
      "url": "https://github.com/FriendsOfPHP/security-advisories/blob/master/sylius/resource-bundle/CVE-2020-15143.yaml"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/Sylius/SyliusResourceBundle"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:N/I:H/A:N",
      "type": "CVSS_V3"
    }
  ],
  "summary": "Remote Code Execution in SyliusResourceBundle"
}

CNVD-2020-49008

Vulnerability from cnvd - Published: 2020-08-28

Title

Sylius注入漏洞（CNVD-2020-49008）

Description

Sylius是波兰Sylius公司的一套基于Symfony框架的开源电子商务平台。 Sylius ResourceBundle中存在注入漏洞，该漏洞源于程序未能正确处理请求参数。攻击者可利用该漏洞执行代码。

Severity

中

Patch Name

Sylius注入漏洞（CNVD-2020-49008）的补丁

Patch Description

Sylius是波兰Sylius公司的一套基于Symfony框架的开源电子商务平台。 Sylius ResourceBundle中存在注入漏洞，该漏洞源于程序未能正确处理请求参数。攻击者可利用该漏洞执行代码。目前，供应商发布了安全公告及相关补丁信息，修复了此漏洞。

Formal description

目前厂商已发布升级补丁以修复漏洞，补丁获取链接： https://github.com/Sylius/SyliusResourceBundle/security/advisories/GHSA-p4pj-9g59-4ppv

Reference

https://nvd.nist.gov/vuln/detail/CVE-2020-15143

Impacted products

Name
['sylius ResourceBundle <1.3.14', 'sylius ResourceBundle <1.4.7', 'sylius ResourceBundle <1.5.2', 'sylius ResourceBundle <1.6.4']

Show details on source website

JSON

To clipboard

{
  "cves": {
    "cve": {
      "cveNumber": "CVE-2020-15143",
      "cveUrl": "https://nvd.nist.gov/vuln/detail/CVE-2020-15143"
    }
  },
  "description": "Sylius\u662f\u6ce2\u5170Sylius\u516c\u53f8\u7684\u4e00\u5957\u57fa\u4e8eSymfony\u6846\u67b6\u7684\u5f00\u6e90\u7535\u5b50\u5546\u52a1\u5e73\u53f0\u3002\n\nSylius ResourceBundle\u4e2d\u5b58\u5728\u6ce8\u5165\u6f0f\u6d1e\uff0c\u8be5\u6f0f\u6d1e\u6e90\u4e8e\u7a0b\u5e8f\u672a\u80fd\u6b63\u786e\u5904\u7406\u8bf7\u6c42\u53c2\u6570\u3002\u653b\u51fb\u8005\u53ef\u5229\u7528\u8be5\u6f0f\u6d1e\u6267\u884c\u4ee3\u7801\u3002",
  "formalWay": "\u76ee\u524d\u5382\u5546\u5df2\u53d1\u5e03\u5347\u7ea7\u8865\u4e01\u4ee5\u4fee\u590d\u6f0f\u6d1e\uff0c\u8865\u4e01\u83b7\u53d6\u94fe\u63a5\uff1a\r\nhttps://github.com/Sylius/SyliusResourceBundle/security/advisories/GHSA-p4pj-9g59-4ppv",
  "isEvent": "\u901a\u7528\u8f6f\u786c\u4ef6\u6f0f\u6d1e",
  "number": "CNVD-2020-49008",
  "openTime": "2020-08-28",
  "patchDescription": "Sylius\u662f\u6ce2\u5170Sylius\u516c\u53f8\u7684\u4e00\u5957\u57fa\u4e8eSymfony\u6846\u67b6\u7684\u5f00\u6e90\u7535\u5b50\u5546\u52a1\u5e73\u53f0\u3002\r\n\r\nSylius ResourceBundle\u4e2d\u5b58\u5728\u6ce8\u5165\u6f0f\u6d1e\uff0c\u8be5\u6f0f\u6d1e\u6e90\u4e8e\u7a0b\u5e8f\u672a\u80fd\u6b63\u786e\u5904\u7406\u8bf7\u6c42\u53c2\u6570\u3002\u653b\u51fb\u8005\u53ef\u5229\u7528\u8be5\u6f0f\u6d1e\u6267\u884c\u4ee3\u7801\u3002\u76ee\u524d\uff0c\u4f9b\u5e94\u5546\u53d1\u5e03\u4e86\u5b89\u5168\u516c\u544a\u53ca\u76f8\u5173\u8865\u4e01\u4fe1\u606f\uff0c\u4fee\u590d\u4e86\u6b64\u6f0f\u6d1e\u3002",
  "patchName": "Sylius\u6ce8\u5165\u6f0f\u6d1e\uff08CNVD-2020-49008\uff09\u7684\u8865\u4e01",
  "products": {
    "product": [
      "sylius ResourceBundle \u003c1.3.14",
      "sylius ResourceBundle \u003c1.4.7",
      "sylius ResourceBundle \u003c1.5.2",
      "sylius ResourceBundle \u003c1.6.4"
    ]
  },
  "referenceLink": "https://nvd.nist.gov/vuln/detail/CVE-2020-15143",
  "serverity": "\u4e2d",
  "submitTime": "2020-08-24",
  "title": "Sylius\u6ce8\u5165\u6f0f\u6d1e\uff08CNVD-2020-49008\uff09"
}

Sightings

Author	Source	Type	Date

Nomenclature

Seen: The vulnerability was mentioned, discussed, or observed by the user.
Confirmed: The vulnerability has been validated from an analyst's perspective.
Published Proof of Concept: A public proof of concept is available for this vulnerability.
Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
Not confirmed: The user expressed doubt about the validity of the vulnerability.
Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.

Detection rules are retrieved from Rulezet.

Action not permitted

CVE-2020-15143 (GCVE-0-2020-15143)

GSD-2020-15143

FKIE_CVE-2020-15143

GHSA-P4PJ-9G59-4PPV

Impact

Example

Patches

Workarounds

Acknowledgements

For more information

CNVD-2020-49008

Tags

Sightings

Nomenclature