CVE-2020–15227: Potential Remote Code Execution Vulnerability
For the first time in Nette's 13-year history, a security flaw was
discovered in it. It was found by a developer from picturesque Taiwan. This is a
serious vulnerability that can, under certain circumstances, lead to remote code
execution.
The vulnerability allows an attacker to execute PHP code on some websites
under certain circumstances using a specially formed URL. We will not publish a
detailed description of the attack mechanism.
A fix is available for all affected versions of Nette, ie starting from
version 2.0. Although it has not been maintained for over 6 years, Nette pays
particular attention to safety, that is why patches for unsupported versions
have been released.
Please update as soon as possible to the latest patch version:
- nette/application 3.0.6 (or 3.0.2.1, 3.1.0-RC2 or dev)
- nette/application 2.4.16
- nette/application 2.3.14
- nette/application 2.2.10
- nette/nette 2.1.13
- nette/nette 2.0.19
We would like to thank Cyku Hong from DEVCORE
for discovering and reporting the vulnerability.
All Nette partners were immediately notified of the issue via email so they
had sufficient time to patch sites before the information went public.
Update Using Composer
Usually it is enough to call composer update
in the project and
the current versions of all packages will be downloaded. To update only a
specific package, use eg composer update nette/application.
You can find out which version of each package you have installed using
composer show
command.
Note: Composer needs to be run with the same version of PHP as is used on
hosting, or add a version constrain to composer.json, see
documentation.
Update by Downloading the
Package
If you use distribution packages instead of Composer, you can download them from the archive.
Fastest Fix
Michal Špaček wrote a Linux
script, which automatically applies the patch directly to the Nette source
code on disk. It is useful if you maintain a large number of projects that you
do not have the time to update correctly using Composer.
Comments (RSS)
Hi @DG i can not find the commit resolvind this issue to update
Comparing 2.0.18 and 2.0.19 it can't be anything else than this commit: https://github.com/…e368d05a3348
that was 25aug !!! the flaw was published yesterday …
Wow, really appreciate fixes for 2.0! Thank you!
#3 nargotik First you need to inform partners and other users via email and give sufficient time to patch websites before the information will be released publicly.
Sign in to submit a comment