Описание
Object injection in cookie driver in phpfastcache
Impact
An possible object injection has been discovered in cookie driver prior 5.0.13 versions (of 5.x releases).
Patches
The issue has been addressed by enforcing JSON conversion when deserializing
Workarounds
If you can't fix it, use another driver such as "Files" (Filesystem)
References
Fixing release: https://github.com/PHPSocialNetwork/phpfastcache/releases/tag/5.0.13
For more information
If you have any questions or comments about this advisory:
- Open an issue in the issue tracker
- Email us at security@geolim4.com
Ссылки
- https://github.com/PHPSocialNetwork/phpfastcache/security/advisories/GHSA-484f-743f-6jx2
- https://nvd.nist.gov/vuln/detail/CVE-2019-16774
- https://github.com/PHPSocialNetwork/phpfastcache/commit/c4527205cb7a402b595790c74310791f5b04a1a4
- https://github.com/PHPSocialNetwork/phpfastcache/releases/tag/5.0.13
- https://github.com/advisories/GHSA-484f-743f-6jx2
Пакеты
phpfastcache/phpfastcache
>= 5.0.0, < 5.0.13
5.0.13
Связанные уязвимости
In phpfastcache before 5.1.3, there is a possible object injection vulnerability in cookie driver.
In phpfastcache before 5.1.3, there is a possible object injection vul ...
Уязвимость PHP библиотеки PhpFastCache, связанная с недостатками механизма десериализации, позволяющая нарушителю вызвать отказ в обслуживании