CVE-2020-5218

Name of the Vulnerable Software and Affected Versions Sylius versions prior to 1.3.13 Sylius versions 1.3.0 through 1.3.12 Sylius versions 1.4.0 through 1.4.5 Sylius versions 1.5.0 Sylius versions 1.6.0 through 1.6.2

Description The issue allows attackers to switch channels via the channel code GET parameter in production environments. This was meant to be enabled only when %kernel.debug% is set to true. However, if no sylius channel.debug is set explicitly in the configuration, the default value which is %kernel.debug% will be not resolved and cast to boolean, enabling this debug feature even if that parameter is set to false. Additionally, ResourceBundle accepts and uses any serialization groups passed via an HTTP header, which might lead to data exposure by using an unintended serialization group.

Recommendations For Sylius versions 1.3.0 through 1.3.12, update to version 1.3.13 or newer. For Sylius versions 1.4.0 through 1.4.5, update to version 1.4.6 or newer. For Sylius versions 1.5.0, update to version 1.5.1 or newer. For Sylius versions 1.6.0 through 1.6.2, update to version 1.6.3 or newer. For versions older than 1.3, add the configuration sylius channel: debug: false to run in production. As a temporary workaround, consider overriding the sylius.resource controller.request configuration factory service with an implementation that does not handle custom serialization groups via the HTTP header.