GHSA-64vj-933f-6pm3
Suggest an improvement- Source
- https://github.com/advisories/GHSA-64vj-933f-6pm3
- Import Source
- https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2024/05/GHSA-64vj-933f-6pm3/GHSA-64vj-933f-6pm3.json
- JSON Data
- https://api.test.osv.dev/v1/vulns/GHSA-64vj-933f-6pm3
- Published
- 2024-05-15T21:28:27Z
- Modified
- 2024-11-29T05:25:36.514729Z
- Summary
- eZ Platform Object Injection in SiteAccessMatchListener
- Details
-
This Security Advisory is about an object injection vulnerability in the SiteAccessMatchListener of eZ Platform, which could lead to remote code execution (RCE), a very serious threat. All sites may be affected.
Update: There are bugs introduced by this fix, particularly but not limited to compound siteaccess matchers. These have been fixed in ezsystems/ezplatform-kernel v1.0.3, and in ezsystems/ezpublish-kernel v7.5.8, v6.13.6.4, and v5.4.15.
- Database specific
{ "cwe_ids": [ "CWE-94" ], "severity": "HIGH", "nvd_published_at": null, "github_reviewed_at": "2024-05-15T21:28:27Z", "github_reviewed": true }- References
Affected packages
Packagist / ezsystems/ezpublish-kernel
Package
- Name
- ezsystems/ezpublish-kernel
- Purl
- pkg:composer/ezsystems/ezpublish-kernel
Packagist / ezsystems/ezpublish-kernel
Package
- Name
- ezsystems/ezpublish-kernel
- Purl
- pkg:composer/ezsystems/ezpublish-kernel
Packagist / ezsystems/ezpublish-kernel
Package
- Name
- ezsystems/ezpublish-kernel
- Purl
- pkg:composer/ezsystems/ezpublish-kernel