CVE-2020-5220: Information Exposure

January 27, 2020 (updated February 4, 2020)

Sylius ResourceBundle accepts and uses any serialisation groups to be passed via a HTTP header. This might lead to data exposure by using an unintended serialisation group - for example it could make Shop API use a more permissive group from Admin API.

References

nvd.nist.gov/vuln/detail/CVE-2020-5220

Code Behaviors & Features

Detect and mitigate CVE-2020-5220 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →