GHSA-H6M7-J4H3-9RF5

Vulnerability from github – Published: 2020-08-19 19:52 – Updated: 2021-11-19 15:36
VLAI?
Summary
Remote Code Execution in SyliusResourceBundle
Details

Impact

Request parameters injected inside an expression evaluated by symfony/expression-language package haven't been sanitized properly. This allows the attacker to access any public service by manipulating that request parameter, allowing for Remote Code Execution.

The vulnerable versions include: <=1.3.13 || >=1.4.0 <=1.4.6 || >=1.5.0 <=1.5.1 || >=1.6.0 <=1.6.3.

Example

sylius_grid:
    grids:
        foo:
            fields:
                bar:
                    options:
                        baz: "expr:service('sylius.repository.product').find($id)"

In this case, $id can be prepared in a way that calls other services.

If you visit /route?id="~service('doctrine').getManager().getConnection().executeQuery("DELETE * FROM TABLE")~", it will result in a following expression expr:service('repository').find(""~service('doctrine').getManager().getConnection().executeQuery("DELETE * FROM TABLE")~""), which will execute a query on the currently connected database.

To find a vulnerability in your application, look for any routing definition that uses request parameters inside expression language.

Patches

This issue has been patched for versions 1.3.14, 1.4.7, 1.5.2 and 1.6.4. Versions prior to 1.3 were not patched.

Workarounds

The fix requires adding addslashes in OptionsParser::parseOptionExpression to sanitize user input before evaluating it using the expression language.

- return is_string($variable) ? sprintf('"%s"', $variable) : $variable;
+ return is_string($variable) ? sprintf('"%s"', addslashes($variable)) : $variable;

Acknowledgements

This security issue has been reported by Craig Blanchette (@isometriks), thanks a lot!

For more information

If you have any questions or comments about this advisory: * Email us at security@sylius.com

Severity ?
9.6 (Critical)
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:N
Show details on source website
To clipboard 

{
  "affected": [
    {
      "package": {
        "ecosystem": "Packagist",
        "name": "sylius/resource-bundle"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "1.4.0"
            },
            {
              "fixed": "1.4.7"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "Packagist",
        "name": "sylius/resource-bundle"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "1.5.0"
            },
            {
              "fixed": "1.5.2"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "Packagist",
        "name": "sylius/resource-bundle"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "1.6.0"
            },
            {
              "fixed": "1.6.4"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "Packagist",
        "name": "sylius/resource-bundle"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "1.0.0"
            },
            {
              "fixed": "1.3.14"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2020-15146"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-74",
      "CWE-917"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2020-08-19T19:50:49Z",
    "nvd_published_at": "2020-08-20T01:17:00Z",
    "severity": "CRITICAL"
  },
  "details": "### Impact\n\nRequest parameters injected inside an expression evaluated by `symfony/expression-language` package haven\u0027t been sanitized properly. This allows the attacker to access any public service by manipulating that request parameter, allowing for Remote Code Execution.\n\nThe vulnerable versions include: `\u003c=1.3.13 || \u003e=1.4.0 \u003c=1.4.6 || \u003e=1.5.0 \u003c=1.5.1 || \u003e=1.6.0 \u003c=1.6.3`.\n\n### Example\n\n```yaml\nsylius_grid:\n    grids:\n        foo:\n            fields:\n                bar:\n                    options:\n                        baz: \"expr:service(\u0027sylius.repository.product\u0027).find($id)\"\n```\n\nIn this case, `$id` can be prepared in a way that calls other services. \n\nIf you visit `/route?id=\"~service(\u0027doctrine\u0027).getManager().getConnection().executeQuery(\"DELETE * FROM TABLE\")~\"`, it will result in a following expression `expr:service(\u0027repository\u0027).find(\"\"~service(\u0027doctrine\u0027).getManager().getConnection().executeQuery(\"DELETE * FROM TABLE\")~\"\")`, which will execute a query on the currently connected database.\n\nTo find a vulnerability in your application, look for any routing definition that uses request parameters inside expression language.\n\n### Patches\n\nThis issue has been patched for versions 1.3.14, 1.4.7, 1.5.2 and 1.6.4. Versions prior to 1.3 were not patched.\n\n### Workarounds\n\nThe fix requires adding `addslashes` in `OptionsParser::parseOptionExpression` to sanitize user input before evaluating it using the expression language.\n\n```php\n- return is_string($variable) ? sprintf(\u0027\"%s\"\u0027, $variable) : $variable;\n+ return is_string($variable) ? sprintf(\u0027\"%s\"\u0027, addslashes($variable)) : $variable;\n```\n\n### Acknowledgements\n\nThis security issue has been reported by Craig Blanchette (@isometriks), thanks a lot!\n\n### For more information\n\nIf you have any questions or comments about this advisory:\n* Email us at [security@sylius.com](mailto:security@sylius.com)",
  "id": "GHSA-h6m7-j4h3-9rf5",
  "modified": "2021-11-19T15:36:47Z",
  "published": "2020-08-19T19:52:30Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/Sylius/SyliusResourceBundle/security/advisories/GHSA-h6m7-j4h3-9rf5"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2020-15146"
    },
    {
      "type": "WEB",
      "url": "https://github.com/Sylius/SyliusResourceBundle/commit/73d9aba182947473a5935b31caf65ca263091e00"
    },
    {
      "type": "WEB",
      "url": "https://github.com/FriendsOfPHP/security-advisories/blob/master/sylius/resource-bundle/CVE-2020-15146.yaml"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/Sylius/SyliusResourceBundle"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:N",
      "type": "CVSS_V3"
    }
  ],
  "summary": "Remote Code Execution in SyliusResourceBundle"
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.




Sightings

Author Source Type Date

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or observed by the user.
  • Confirmed: The vulnerability has been validated from an analyst's perspective.
  • Published Proof of Concept: A public proof of concept is available for this vulnerability.
  • Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
  • Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
  • Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
  • Not confirmed: The user expressed doubt about the validity of the vulnerability.
  • Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.



Detection rules are retrieved from Rulezet.