CVE Vulnerability

CVE-2020-5220

Sylius ResourceBundle accepts and uses any serialisation groups to be passed via a HTTP header. This might lead to data exposure by using an unintended serialisation group - for example it could make Shop API use a more permissive group from Admin API. Anyone exposing an API with ResourceBundle's controller is affected. The vulnerable versions are: =1.3.0 =1.4.0 =1.5.0 =1.6.0 <=1.6.2. The patch is provided for Sylius ResourceBundle 1.3.13, 1.4.6, 1.5.1 and 1.6.3, but not for any versions below 1.3.

5 /10

CVSS v2.0 :

V3 Legend

Vector :

Exploitability : 10 / Impact : 2.9

Attack Vector

Attack Complexity

Privileges Required

User Interaction

Confidentiality Impact PARTIAL

Integrity Impact NONE

Availability Impact NONE

Scope

5.3 /10

CVSS v3.0 : MEDIUM

V3 Legend

Vector :

Exploitability : 3.9 / Impact : 1.4

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required NONE

User Interaction NONE

Confidentiality Impact LOW

Integrity Impact NONE

Availability Impact NONE

Scope UNCHANGED

References
Link Resource
https://github.com/FriendsOfPHP/security-advisories/blob/master/sylius/resource-bundle/CVE-2020-5220.yaml Third Party Advisory
https://github.com/Sylius/SyliusResourceBundle/security/advisories/GHSA-8vp7-j5cj-vvm2 Third Party Advisory
Configurations

Configuration 1

cpe:2.3:a:sylius:syliusresourcebundle:*:*:*:*:*:*:*:*
cpe:2.3:a:sylius:syliusresourcebundle:1.5.0:*:*:*:*:*:*:*
cpe:2.3:a:sylius:syliusresourcebundle:*:*:*:*:*:*:*:*
cpe:2.3:a:sylius:syliusresourcebundle:*:*:*:*:*:*:*:*
Information

Published : 2020-01-27 09:15

Updated : 2020-02-04 02:50

NVD link : CVE-2020-5220

Mitre link : CVE-2020-5220

Products Affected
No products.
CWE
CWE-200