New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
[CVE-2021-33898] Insecure deserialization versions <= 4.3.1 #5909
Comments
|
We would recommend that people update to 4.5. No one should be using 4.3 |
|
Thanks @turbo124 , probably should just make my intent more clear - the commented out code should not be re-introduced as-is. |
|
@montycarlo |
|
The Common Vulnerabilities and Exposures (CVE) Program has assigned the ID CVE-2021-33898 to this issue. This is a record on the CVE List, which standardizes names for security problems. |
|
Thank you for reporting this but do you think it's helpful to create CVE issues for previous versions of software. If it were done for all issues wouldn't it create more noise than signal? I'm asking because I believe these issues may make our software look insecure when it fact it isn't. For more context v4.3.1 was released on Apr 9, 2018 and v4.4.0 on Apr 24, 2018 https://github.com/invoiceninja/invoiceninja/releases/tag/v4.3.1 |
What version of Invoice Ninja are you running?
v4.3.1 and below
What environment are you running?
N/A
Have you checked log files (storage/logs/) Please provide redacted output
N/A
Have you searched existing issues?
Yes
Have you reported this to Slack/forum before posting?
No
Describe the bug
In versions v4.3.1 and below of InvoiceNinja, there is an unsafe call to unserialize() in
app/Ninja/Repositories/AccountRepository.phpwhich may allow an attacker to deserialize arbitrary PHP classes. In certain contexts this can result in remote code execution.The argument to unserialize is the output from a HTTP call to
http://www.geoplugin.net/php.gp. This is without encryption. Attack vectors are then:Expected behavior
Use JSON instead of native PHP objects for untrusted input.
Additional context
The responsible code is now commented out since 25feebd6c2b02687d06832442ce6ce27971849c3, however there is a note about triaging GDPR implications before reintroduction of the code block, so this may be introduced in future versions.
The text was updated successfully, but these errors were encountered: