Skip to content

Object injection in cookie driver

High
Geolim4 published GHSA-484f-743f-6jx2 Dec 11, 2019

Package

5.0.13 release (packagist)

Affected versions

<5.0.13

Patched versions

5.0.13

Description

Impact

An possible object injection has been discovered in cookie driver prior 5.0.13 versions (of 5.x releases).

Patches

The issue has been addressed by enforcing JSON conversion when deserializing

Workarounds

If you can't fix it, use another driver such as "Files" (Filesystem)

References

Fixing release: https://github.com/PHPSocialNetwork/phpfastcache/releases/tag/5.0.13

For more information

If you have any questions or comments about this advisory:

Severity

High

CVE ID

CVE-2019-16774

Weaknesses

No CWEs

Credits