CVE-2018-8073

Name of the Vulnerable Software and Affected Versions: Yii versions prior to 2.0.15 yii2-redis (affected versions not specified)

Description: The issue allows remote attackers to execute arbitrary LUA code, potentially leading to remote code execution in the LUA context of the Redis server. This can be achieved via methods such as yiiredisActiveRecord::findOne() and yiiredisActiveRecord::findAll() in the yiisoft/yii2-redis extension. Attackers could manipulate data on the Redis server.

Recommendations: For Yii versions prior to 2.0.15, update to version 2.0.15 or later. For yii2-redis, as a temporary workaround, consider restricting access to the yiiredisActiveRecord::findOne() and yiiredisActiveRecord::findAll() methods until a patch is available. At the moment, there is no information about a newer version that contains a fix for this vulnerability in yii2-redis.