eZ Platform Object Injection in SiteAccessMatchListener

This Security Advisory is about an object injection vulnerability in the SiteAccessMatchListener of eZ Platform, which could lead to remote code execution (RCE), a very serious threat. All sites may be affected.

Update: There are bugs introduced by this fix, particularly but not limited to compound siteaccess matchers. These have been fixed in ezsystems/ezplatform-kernel v1.0.3, and in ezsystems/ezpublish-kernel v7.5.8, v6.13.6.4, and v5.4.15.

Published: May 15, 2024
Updated: Jun 27, 2024
GHSA: GHSA-64vj-933f-6pm3
Severity: High
Exploit:

No technical information available.

CWEs:

CWE-94

Affected Software
References

Software	From	Fixed in
ezsystems / ezpublish-kernel	7.5.0	7.5.8
ezsystems / ezpublish-kernel	6.13.0	6.13.6.4
ezsystems / ezpublish-kernel	5.4.0	5.4.15

https://ezplatform.com/security-advisories/ezsa-2020-004-object-injection-in-siteaccessmatchlistener
https://github.com/FriendsOfPHP/security-advisories/blob/master/ezsystems/ezpublish-kernel/2020-05-20-1.yaml

Vulnerability Database

289,697

eZ Platform Object Injection in SiteAccessMatchListener