CVE-2023-37473: Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection')

July 14, 2023 (updated July 31, 2023)

zenstruck/collections is a set of helpers for iterating/paginating/filtering collections. Passing callable strings (ie system) caused the function to be executed. This would result in a limited subset of specific user input being executed as if it were code. This issue has been addressed in commit f4b1c48820 and included in release version 0.2.1. Users are advised to upgrade. Users unable to upgrade should ensure that user input is not passed to either EntityRepository::find() or query().

References

github.com/zenstruck/collection/commit/f4b1c488206e1b1581b06fcd331686846f13f19c
github.com/zenstruck/collection/releases/tag/v0.2.1
github.com/zenstruck/collection/security/advisories/GHSA-7xr2-8ff7-6fjq
nvd.nist.gov/vuln/detail/CVE-2023-37473

Detect and mitigate CVE-2023-37473 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →