GHSA-2w9p-xxqr-h253: eZ Platform Object Injection in SiteAccessMatchListener
This Security Advisory is about an object injection vulnerability in the SiteAccessMatchListener of eZ Platform, which could lead to remote code execution (RCE), a very serious threat. All sites may be affected.
Update: There are bugs introduced by this fix, particularly but not limited to compound siteaccess matchers. These have been fixed in ezsystems/ezplatform-kernel v1.0.3, and in ezsystems/ezpublish-kernel v7.5.8, v6.13.6.4, and v5.4.15.
References
- ezplatform.com/security-advisories/ezsa-2020-004-object-injection-in-siteaccessmatchlistener
- github.com/FriendsOfPHP/security-advisories/blob/master/ezsystems/ezplatform-kernel/2020-05-20-1.yaml
- github.com/advisories/GHSA-2w9p-xxqr-h253
- github.com/ezsystems/ezplatform-kernel
- web.archive.org/web/20201024030303/https://ezplatform.com/security-advisories/ezsa-2020-004-object-injection-in-siteaccessmatchlistener
Detect and mitigate GHSA-2w9p-xxqr-h253 with GitLab Dependency Scanning
Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →