CVE-2022-41922

HIGH8.1EPSS 3.8%

Prevent RCE when deserializing untrusted user input

Published: 11/21/2022Modified: 11/8/2023

Description

### Impact Affected versions of `yiisoft/yii` are vulnerable to Remote Code Execution (RCE) if the application calls `unserialize()` on arbitrary user input. ### Patches Upgrade `yiisoft/yii` to version 1.1.27 or higher. ### For more information See the following links for more details: - [Git commit](https://github.com/yiisoft/yii/commit/ed67b7cc57216557c5c595c6650cdd2d3aa41c52) - https://owasp.org/www-community/vulnerabilities/PHP_Object_Injection If you have any questions or comments about this advisory, [contact us through security form](https://www.yiiframework.com/security).

Affected packages (1)

Packagist/yiisoft/yiifrom 0, < 1.1.27

CVSS scores

Source	Version	Severity	Vector
osv	CVSS 3.1	HIGH8.1	CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H

References (4)

ADVISORYhttps://nvd.nist.gov/vuln/detail/CVE-2022-41922
PATCHhttps://github.com/yiisoft/yii
WEBhttps://github.com/yiisoft/yii/commit/ed67b7cc57216557c5c595c6650cdd2d3aa41c52
WEBhttps://github.com/yiisoft/yii/security/advisories/GHSA-442f-wcwq-fpcf