Object injection in cookie driver in phpfastcache
Moderate severity
GitHub Reviewed
Published
Dec 11, 2019
in
PHPSocialNetwork/phpfastcache
•
Updated Jan 11, 2023
Package
Affected versions
>= 5.0.0, < 5.0.13
Patched versions
5.0.13
Description
Published to the GitHub Advisory Database
Dec 12, 2019
Reviewed
Jun 16, 2020
Last updated
Jan 11, 2023
Impact
An possible object injection has been discovered in cookie driver prior 5.0.13 versions (of 5.x releases).
Patches
The issue has been addressed by enforcing JSON conversion when deserializing
Workarounds
If you can't fix it, use another driver such as "Files" (Filesystem)
References
Fixing release: https://github.com/PHPSocialNetwork/phpfastcache/releases/tag/5.0.13
For more information
If you have any questions or comments about this advisory:
References