CVE-2024-4990: Unsafe Reflection in base Component class in yiisoft/yii2
(updated )
Yii2 supports attaching Behaviors to Components by setting properties having the format 'as <behaviour-name>'.
Internally this is done using the __set() magic method. If the value passed to this method is not an instance of the Behavior class, a new object is instantiated using Yii::createObject($value). However, there is no validation check that verifies that $value is a valid Behavior class name or configuration. An attacker that can control the content of the $value variable can then instantiate arbitrary classes, passing parameters to their constructors and then invoking setter methods.
References
- github.com/FriendsOfPHP/security-advisories/blob/master/yiisoft/yii2/CVE-2024-4990.yaml
- github.com/advisories/GHSA-cjcc-p67m-7qxm
- github.com/yiisoft/yii2
- github.com/yiisoft/yii2/blob/master/framework/CHANGELOG.md
- github.com/yiisoft/yii2/commit/628d406bfafb80fc32147837888c0057d89a021e
- github.com/yiisoft/yii2/commit/62d081f18c3602d09e7d075bba3a0ca5c313f0b4
- github.com/yiisoft/yii2/pull/20183
- github.com/yiisoft/yii2/security/advisories/GHSA-cjcc-p67m-7qxm
- huntr.com/bounties/4fbdd965-02b6-42e4-b57b-f98f93415b8f
- nvd.nist.gov/vuln/detail/CVE-2024-4990
Detect and mitigate CVE-2024-4990 with GitLab Dependency Scanning
Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →