Skip to content

eZ Platform Object Injection in SiteAccessMatchListener

High severity GitHub Reviewed Published May 15, 2024 to the GitHub Advisory Database

Package

composer ezsystems/ezpublish-kernel (Composer)

Affected versions

>= 7.5.0, < 7.5.8
>= 6.13.0, < 6.13.6.4
>= 5.4.0, < 5.4.15

Patched versions

7.5.8
6.13.6.4
5.4.15

Description

This Security Advisory is about an object injection vulnerability in the SiteAccessMatchListener of eZ Platform, which could lead to remote code execution (RCE), a very serious threat. All sites may be affected.

Update: There are bugs introduced by this fix, particularly but not limited to compound siteaccess matchers. These have been fixed in ezsystems/ezplatform-kernel v1.0.3, and in ezsystems/ezpublish-kernel v7.5.8, v6.13.6.4, and v5.4.15.

References

Published to the GitHub Advisory Database May 15, 2024
Reviewed May 15, 2024

Severity

High

Weaknesses

CVE ID

No known CVE

GHSA ID

GHSA-64vj-933f-6pm3

Source code

Checking history
See something to contribute? Suggest improvements for this vulnerability.