GHSA-64vj-933f-6pm3: eZ Platform Object Injection in SiteAccessMatchListener

May 15, 2024

This Security Advisory is about an object injection vulnerability in the SiteAccessMatchListener of eZ Platform, which could lead to remote code execution (RCE), a very serious threat. All sites may be affected.

Update: There are bugs introduced by this fix, particularly but not limited to compound siteaccess matchers. These have been fixed in ezsystems/ezplatform-kernel v1.0.3, and in ezsystems/ezpublish-kernel v7.5.8, v6.13.6.4, and v5.4.15.

References

ezplatform.com/security-advisories/ezsa-2020-004-object-injection-in-siteaccessmatchlistener
github.com/FriendsOfPHP/security-advisories/blob/master/ezsystems/ezpublish-kernel/2020-05-20-1.yaml
github.com/advisories/GHSA-64vj-933f-6pm3
github.com/ezsystems/ezpublish-kernel

Code Behaviors & Features

Detect and mitigate GHSA-64vj-933f-6pm3 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →