CVE-2020–15227: Potential Remote Code Execution Vulnerability

5 years ago by David Grudl  

For the first time in Nette's 13-year history, a security flaw was discovered in it. It was found by a developer from picturesque Taiwan. This is a serious vulnerability that can, under certain circumstances, lead to remote code execution.

The vulnerability allows an attacker to execute PHP code on some websites under certain circumstances using a specially formed URL. We will not publish a detailed description of the attack mechanism.

A fix is available for all affected versions of Nette, ie starting from version 2.0. Although it has not been maintained for over 6 years, Nette pays particular attention to safety, that is why patches for unsupported versions have been released.

Please update as soon as possible to the latest patch version:

  • nette/application 3.0.6 (or 3.0.2.1, 3.1.0-RC2 or dev)
  • nette/application 2.4.16
  • nette/application 2.3.14
  • nette/application 2.2.10
  • nette/nette 2.1.13
  • nette/nette 2.0.19

We would like to thank Cyku Hong from DEVCORE for discovering and reporting the vulnerability.

All Nette partners were immediately notified of the issue via email so they had sufficient time to patch sites before the information went public.

Update Using Composer

Usually it is enough to call composer update in the project and the current versions of all packages will be downloaded. To update only a specific package, use eg composer update nette/application.

You can find out which version of each package you have installed using composer show command.

Note: Composer needs to be run with the same version of PHP as is used on hosting, or add a version constrain to composer.json, see documentation.

Update by Downloading the Package

If you use distribution packages instead of Composer, you can download them from the archive.

Fastest Fix

Michal Špaček wrote a Linux script, which automatically applies the patch directly to the Nette source code on disk. It is useful if you maintain a large number of projects that you do not have the time to update correctly using Composer.

David Grudl Founder of Uměligence and creator of Nette Framework, the popular PHP framework. Since 2021, he's been fully immersed in artificial intelligence, teaching practical AI applications. He discusses weekly tech developments on Tech Guys with his co-hosts and writes for phpFashion and La Trine. He believes AI isn't science fiction—it's a practical tool for improving life today.

Comments

  1. nargotik #1

    Hi @DG i can not find the commit resolvind this issue to update

    5 years ago
  2. enumag #2

    Comparing 2.0.18 and 2.0.19 it can't be anything else than this commit: https://github.com/…e368d05a3348

    5 years ago
  3. nargotik #3

    that was 25aug !!! the flaw was published yesterday …

    5 years ago · replied [5] David Grudl
  4. Milo #4

    Wow, really appreciate fixes for 2.0! Thank you!

    5 years ago
  5. David Grudl #5

    #3 nargotik First you need to inform partners and other users via email and give sufficient time to patch websites before the information will be released publicly.

    5 years ago

Sign in to submit a comment

Recent posts

Nette Assets: Finally unified API for everything from images to Vite

Introducing Nette Assets – a library that completely transforms working with static files in Nette applications. Tested and proven on dozens of projects.

about a month ago  ·  17 minutes to read

Architecture That Grows with Your Project

One of the most common challenges in PHP application development is proper code organization. Where should presenters go? Where should individual classes be located? And how to ensure the project structure grows naturally with its development?

5 months ago  ·  2 minutes to read

One line in configuration will speed up your Nette application. How is that possible?

Imagine you have a large application with dozens of services – database, logger, mailer, cache, and many others. During each HTTP request, all these services are created, even if you don't use them at all. This unnecessarily slows down your application. The new version of PHP 8.4 and Nette brings…

6 months ago  ·  4 minutes to read