CVE-2020-15227
Published: 1 October 2020
Nette versions before 2.0.19, 2.1.13, 2.2.10, 2.3.14, 2.4.16, 3.0.6 are vulnerable to an code injection attack by passing specially formed parameters to URL that may possibly leading to RCE. Nette is a PHP/Composer MVC Framework.
Priority
Status
Package | Release | Status |
---|---|---|
php-nette Launchpad, Ubuntu, Debian |
impish |
Does not exist
|
focal |
Does not exist
|
|
groovy |
Does not exist
|
|
hirsute |
Does not exist
|
|
trusty |
Does not exist
|
|
bionic |
Released
(2.4-20160731-1ubuntu0.1)
|
|
xenial |
Released
(2.3.8-1ubuntu1+esm1)
Available with Ubuntu Pro |
|
kinetic |
Does not exist
|
|
lunar |
Does not exist
|
|
jammy |
Does not exist
|
|
upstream |
Released
(2.2.10, 2.3.14, 2.4.16, 3.0.6)
|
|
mantic |
Does not exist
|
|
Patches: upstream: https://github.com/nette/nette/commit/6730d3c7953f963aed17678c9daa6e1448177268 upstream: https://github.com/nette/nette/commit/af72a89976cd1aeeacccb942740f445752de6cae |
Severity score breakdown
Parameter | Value |
---|---|
Base score | 9.8 |
Attack vector | Network |
Attack complexity | Low |
Privileges required | None |
User interaction | None |
Scope | Unchanged |
Confidentiality | High |
Integrity impact | High |
Availability impact | High |
Vector | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H |