logo

Advisories

Weaknesses

Fixes

Requirements

Compliance

CVE-2020-15146 sylius/resource-bundle

Package

Manager: composer
Name: sylius/resource-bundle
Vulnerable Version: >=1.4.0 <1.4.7 || >=1.5.0 <1.5.2 || >=1.6.0 <1.6.4 || >=1.0.0 <1.3.14

Severity

Level: Critical

CVSS v3.1: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:N

CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:N/SC:H/SI:H/SA:N

EPSS: 0.01064 pctl0.76837

Details

Remote Code Execution in SyliusResourceBundle ### Impact Request parameters injected inside an expression evaluated by `symfony/expression-language` package haven't been sanitized properly. This allows the attacker to access any public service by manipulating that request parameter, allowing for Remote Code Execution. The vulnerable versions include: `<=1.3.13 || >=1.4.0 <=1.4.6 || >=1.5.0 <=1.5.1 || >=1.6.0 <=1.6.3`. ### Example ```yaml sylius_grid: grids: foo: fields: bar: options: baz: "expr:service('sylius.repository.product').find($id)" ``` In this case, `$id` can be prepared in a way that calls other services. If you visit `/route?id="~service('doctrine').getManager().getConnection().executeQuery("DELETE * FROM TABLE")~"`, it will result in a following expression `expr:service('repository').find(""~service('doctrine').getManager().getConnection().executeQuery("DELETE * FROM TABLE")~"")`, which will execute a query on the currently connected database. To find a vulnerability in your application, look for any routing definition that uses request parameters inside expression language. ### Patches This issue has been patched for versions 1.3.14, 1.4.7, 1.5.2 and 1.6.4. Versions prior to 1.3 were not patched. ### Workarounds The fix requires adding `addslashes` in `OptionsParser::parseOptionExpression` to sanitize user input before evaluating it using the expression language. ```php - return is_string($variable) ? sprintf('"%s"', $variable) : $variable; + return is_string($variable) ? sprintf('"%s"', addslashes($variable)) : $variable; ``` ### Acknowledgements This security issue has been reported by Craig Blanchette (@isometriks), thanks a lot! ### For more information If you have any questions or comments about this advisory: * Email us at [security@sylius.com](mailto:security@sylius.com)

Metadata

Created: 2020-08-19T19:52:30Z
Modified: 2021-11-19T15:36:47Z
Source: https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2020/08/GHSA-h6m7-j4h3-9rf5/GHSA-h6m7-j4h3-9rf5.json
CWE IDs: ["CWE-74", "CWE-917"]
Alternative ID: GHSA-h6m7-j4h3-9rf5
Finding: F004
Auto approve: 1