Vulnerability Details CVE-2020-5220
Sylius ResourceBundle accepts and uses any serialisation groups to be passed via a HTTP header. This might lead to data exposure by using an unintended serialisation group - for example it could make Shop API use a more permissive group from Admin API. Anyone exposing an API with ResourceBundle's controller is affected. The vulnerable versions are: <1.3 || >=1.3.0 <=1.3.12 || >=1.4.0 <=1.4.5 || >=1.5.0 <=1.5.0 || >=1.6.0 <=1.6.2. The patch is provided for Sylius ResourceBundle 1.3.13, 1.4.6, 1.5.1 and 1.6.3, but not for any versions below 1.3.
Exploit prediction scoring system (EPSS) score
EPSS Score 0.003
EPSS Ranking 54.6%
CVSS Severity
CVSS v3 Score 4.4
CVSS v2 Score 5.0
References
- https://github.com/FriendsOfPHP/security-advisories/blob/master/sylius/resource-bundle/CVE-2020-5220.yaml
- https://github.com/Sylius/SyliusResourceBundle/security/advisories/GHSA-8vp7-j5cj-vvm2
- https://github.com/FriendsOfPHP/security-advisories/blob/master/sylius/resource-bundle/CVE-2020-5220.yaml
- https://github.com/Sylius/SyliusResourceBundle/security/advisories/GHSA-8vp7-j5cj-vvm2
Products affected by CVE-2020-5220
-
cpe:2.3:a:sylius:syliusresourcebundle:1.3.0
-
cpe:2.3:a:sylius:syliusresourcebundle:1.3.1
-
cpe:2.3:a:sylius:syliusresourcebundle:1.3.10
-
cpe:2.3:a:sylius:syliusresourcebundle:1.3.11
-
cpe:2.3:a:sylius:syliusresourcebundle:1.3.12
-
cpe:2.3:a:sylius:syliusresourcebundle:1.3.2
-
cpe:2.3:a:sylius:syliusresourcebundle:1.3.3
-
cpe:2.3:a:sylius:syliusresourcebundle:1.3.4
-
cpe:2.3:a:sylius:syliusresourcebundle:1.3.5
-
cpe:2.3:a:sylius:syliusresourcebundle:1.3.6
-
cpe:2.3:a:sylius:syliusresourcebundle:1.3.7
-
cpe:2.3:a:sylius:syliusresourcebundle:1.3.8
-
cpe:2.3:a:sylius:syliusresourcebundle:1.3.9
-
cpe:2.3:a:sylius:syliusresourcebundle:1.4.0
-
cpe:2.3:a:sylius:syliusresourcebundle:1.4.1
-
cpe:2.3:a:sylius:syliusresourcebundle:1.4.2
-
cpe:2.3:a:sylius:syliusresourcebundle:1.4.3
-
cpe:2.3:a:sylius:syliusresourcebundle:1.4.4
-
cpe:2.3:a:sylius:syliusresourcebundle:1.4.5
-
cpe:2.3:a:sylius:syliusresourcebundle:1.5.0
-
cpe:2.3:a:sylius:syliusresourcebundle:1.6.0
-
cpe:2.3:a:sylius:syliusresourcebundle:1.6.1
-
cpe:2.3:a:sylius:syliusresourcebundle:1.6.2