CVE-2023-37473 - OpenCVE

zenstruck/collections is a set of helpers for iterating/paginating/filtering collections. Passing _callable strings_ (ie `system`) caused the function to be executed. This would result in a limited subset of specific user input being executed as if it were code. This issue has been addressed in commit `f4b1c48820` and included in release version 0.2.1. Users are advised to upgrade. Users unable to upgrade should ensure that user input is not passed to either `EntityRepository::find()` or `query()`.

No CVSS v4.0

Attack Vector Network

Attack Complexity High

Privileges Required Low

Scope Changed

Confidentiality Impact High

Integrity Impact High

Availability Impact High

User Interaction None

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

Key SSVC decision points have not yet been added.

Vendors	Products
Zenstruck	Collection

Configuration 1 [-]

cpe:2.3:a:zenstruck:collection:0.2.1:*:*:*:*:*:*:*

No data.

References

Link	Providers
https://github.com/zenstruck/collection/commit/f4b1c488206e1b1581b06fcd331686846f13f19c
https://github.com/zenstruck/collection/releases/tag/v0.2.1
https://github.com/zenstruck/collection/security/advisories/GHSA-7xr2-8ff7-6fjq

History

No history.

MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published: 2023-07-14T20:00:16.909Z

Updated: 2024-08-02T17:16:30.334Z

Reserved: 2023-07-06T13:01:36.998Z

Link: CVE-2023-37473

Vulnrichment

No data.

NVD

Status : Analyzed

Published: 2023-07-14T21:15:09.047

Modified: 2023-07-31T17:12:55.187

Link: CVE-2023-37473

Redhat

No data.

{"dataType": "CVE_RECORD", "dataVersion": "5.1", "cveMetadata": {"cveId": "CVE-2023-37473", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "state": "PUBLISHED", "assignerShortName": "GitHub_M", "dateReserved": "2023-07-06T13:01:36.998Z", "datePublished": "2023-07-14T20:00:16.909Z", "dateUpdated": "2024-08-02T17:16:30.334Z"}, "containers": {"cna": {"title": "Limited code execution in zenstruck/collections", "problemTypes": [{"descriptions": [{"cweId": "CWE-74", "lang": "en", "description": "CWE-74: Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection')", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 8.6, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "CHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:H", "version": "3.1"}}], "references": [{"name": "https://github.com/zenstruck/collection/security/advisories/GHSA-7xr2-8ff7-6fjq", "tags": ["x_refsource_CONFIRM"], "url": "https://github.com/zenstruck/collection/security/advisories/GHSA-7xr2-8ff7-6fjq"}, {"name": "https://github.com/zenstruck/collection/commit/f4b1c488206e1b1581b06fcd331686846f13f19c", "tags": ["x_refsource_MISC"], "url": "https://github.com/zenstruck/collection/commit/f4b1c488206e1b1581b06fcd331686846f13f19c"}, {"name": "https://github.com/zenstruck/collection/releases/tag/v0.2.1", "tags": ["x_refsource_MISC"], "url": "https://github.com/zenstruck/collection/releases/tag/v0.2.1"}], "affected": [{"vendor": "zenstruck", "product": "collection", "versions": [{"version": "< 0.2.1", "status": "affected"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2023-07-14T20:00:16.909Z"}, "descriptions": [{"lang": "en", "value": "zenstruck/collections is a set of helpers for iterating/paginating/filtering collections. Passing _callable strings_ (ie `system`) caused the function to be executed. This would result in a limited subset of specific user input being executed as if it were code. This issue has been addressed in commit `f4b1c48820` and included in release version 0.2.1. Users are advised to upgrade. Users unable to upgrade should ensure that user input is not passed to either `EntityRepository::find()` or `query()`."}], "source": {"advisory": "GHSA-7xr2-8ff7-6fjq", "discovery": "UNKNOWN"}}, "adp": [{"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-02T17:16:30.334Z"}, "title": "CVE Program Container", "references": [{"name": "https://github.com/zenstruck/collection/security/advisories/GHSA-7xr2-8ff7-6fjq", "tags": ["x_refsource_CONFIRM", "x_transferred"], "url": "https://github.com/zenstruck/collection/security/advisories/GHSA-7xr2-8ff7-6fjq"}, {"name": "https://github.com/zenstruck/collection/commit/f4b1c488206e1b1581b06fcd331686846f13f19c", "tags": ["x_refsource_MISC", "x_transferred"], "url": "https://github.com/zenstruck/collection/commit/f4b1c488206e1b1581b06fcd331686846f13f19c"}, {"name": "https://github.com/zenstruck/collection/releases/tag/v0.2.1", "tags": ["x_refsource_MISC", "x_transferred"], "url": "https://github.com/zenstruck/collection/releases/tag/v0.2.1"}]}]}}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:zenstruck:collection:0.2.1:*:*:*:*:*:*:*", "matchCriteriaId": "E1467BC0-DA70-402B-A066-205A6D03F1A8", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "zenstruck/collections is a set of helpers for iterating/paginating/filtering collections. Passing _callable strings_ (ie `system`) caused the function to be executed. This would result in a limited subset of specific user input being executed as if it were code. This issue has been addressed in commit `f4b1c48820` and included in release version 0.2.1. Users are advised to upgrade. Users unable to upgrade should ensure that user input is not passed to either `EntityRepository::find()` or `query()`."}], "id": "CVE-2023-37473", "lastModified": "2023-07-31T17:12:55.187", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 8.8, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 5.9, "source": "nvd@nist.gov", "type": "Primary"}, {"cvssData": {"attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 8.5, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "CHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 1.8, "impactScore": 6.0, "source": "security-advisories@github.com", "type": "Secondary"}]}, "published": "2023-07-14T21:15:09.047", "references": [{"source": "security-advisories@github.com", "tags": ["Patch"], "url": "https://github.com/zenstruck/collection/commit/f4b1c488206e1b1581b06fcd331686846f13f19c"}, {"source": "security-advisories@github.com", "tags": ["Release Notes"], "url": "https://github.com/zenstruck/collection/releases/tag/v0.2.1"}, {"source": "security-advisories@github.com", "tags": ["Mitigation"], "url": "https://github.com/zenstruck/collection/security/advisories/GHSA-7xr2-8ff7-6fjq"}], "sourceIdentifier": "security-advisories@github.com", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-74"}], "source": "security-advisories@github.com", "type": "Primary"}]}