An possible object injection has been discovered in cookie driver prior 5.0.13 versions (of 5.x releases).
The issue has been addressed by enforcing JSON conversion when deserializing
If you can't fix it, use another driver such as "Files" (Filesystem)
Fixing release: https://github.com/PHPSocialNetwork/phpfastcache/releases/tag/5.0.13
If you have any questions or comments about this advisory:
* Open an issue in the issue tracker
* Email us at [email protected]
| Score | Percentile |
|---|---|
| 0.38% | 58.69% |
| Base score | Version | Severity | Vector |
|---|---|---|---|
| 4.4 | 3.1 | — |
|
| Type | Value |
|---|---|
| GHSA | GHSA-484f-743f-6jx2 ↗ |
| CVE | CVE-2019-16774 ↗ |
| CWE id | Name |
|---|---|
| CWE-94 | Improper Control of Generation of Code ('Code Injection') |
Vulnerable version ranges and first patched releases as published by GitHub.
| Ecosystem | Package | Vulnerable range | First patched | Vulnerable functions |
|---|---|---|---|---|
| composer | phpfastcache/phpfastcache | >= 5.0.0, < 5.0.13 | 5.0.13 | — |